26887 – pdns-recursor new security issue CVE-2020-14196

Bug 26887 - pdns-recursor new security issue CVE-2020-14196

Summary: pdns-recursor new security issue CVE-2020-14196

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-07-01 23:56 CEST by David Walser
Modified:	2020-07-07 15:48 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	pdns-recursor-4.3.1-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-07-01 23:56:08 CEST

PowerDNS has issued an advisory today (July 1):
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html

The issue is fixed upstream in 4.1.17 and 4.3.2;
https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.2
https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17

Mageia 7 is also affected.

David Walser 2020-07-01 23:56:25 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 4.1.17 and 4.3.2

Comment 1 David GEIGER 2020-07-02 15:53:12 CEST

Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-07-02 18:59:09 CEST

Advisory:
========================

Updated pdns-recursor package fixes security vulnerability:

An issue has been found in PowerDNS Recursor where the ACL applied to the
internal web server via webserver-allow-from is not properly enforced, allowing
a remote attacker to send HTTP queries to the internal web server, bypassing
the restriction (CVE-2020-14196).

In the default configuration the API webserver is not enabled. Only
installations using a non-default value for webserver and webserver-address are
affected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14196
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html
https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17
========================

Updated packages in core/updates_testing:
========================
pdns-recursor-4.1.17-1.mga7

from pdns-recursor-4.1.17-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 4.1.17 and 4.3.2 => (none)
Version: Cauldron => 7

Comment 3 Herman Viaene 2020-07-06 14:51:01 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues. Installing pdns in addition to follow test prodedure below.
Ref bug 24218 for testing.
# systemctl  stop dnsmasq
Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.

# systemctl  start pdns

# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-07-06 14:44:04 CEST; 12s ago
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
 Main PID: 23233 (pdns_server)
    Tasks: 8 (limit: 4915)
   Memory: 4.1M
   CGroup: /system.slice/pdns.service
           └─23233 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no

Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: TCP server bound to 0.0.0.0:53
Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: TCPv6 server bound to [::]:53
Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: PowerDNS Authoritative Server 4.1.8 (C) 2001-2018 PowerDNS.COM BV
Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: Using 64-bits mode. Built using gcc 8.3.1 20190510.
Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, an>
Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: PowerDNS Security Update Mandatory: Upgrade now, see https://doc.powe>
Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: Creating backend connection for TCP
Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: About to create 3 backend threads for UDP
Jul 06 14:44:04 mach5.hviaene.thuis systemd[1]: Started PowerDNS Authoritative Server.
Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: Done launching threads, ready to distribute questions

# systemctl start pdns-recursor

# systemctl -l status pdns-recursor
● pdns-recursor.service - PowerDNS Recursor
   Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-07-06 14:44:37 CEST; 12s ago
     Docs: man:pdns_recursor(1)
           man:rec_control(1)
           https://doc.powerdns.com
 Main PID: 25011 (pdns_recursor)
    Tasks: 5 (limit: 4915)
   Memory: 6.7M
   CGroup: /system.slice/pdns-recursor.service
           └─25011 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no

Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Enabled TCP data-ready filter for (slight) DoS protection
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Listening for TCP queries on 127.0.0.1:5300
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Set effective group id to 967
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Set effective user id to 975
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Launching 3 threads
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Done priming cache with root hints
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Enabled 'epoll' multiplexer
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Done priming cache with root hints
Jul 06 14:44:37 mach5.hviaene.thuis systemd[1]: Started PowerDNS Recursor.
Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Done priming cache with root hints

# netstat -pantu | grep pdns
tcp        0      0 127.0.0.1:5300          0.0.0.0:*               LISTEN      25011/pdns_recursor 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      23233/pdns_server   
tcp6       0      0 :::53                   :::*                    LISTEN      23233/pdns_server   
udp        0      0 127.0.0.1:5300          0.0.0.0:*                           25011/pdns_recursor 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           23233/pdns_server   
udp6       0      0 :::53                   :::*                                23233/pdns_server   

# dig mageia.org @127.0.0.1 -p 53

; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> mageia.org @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43390
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 06 14:45:36 CEST 2020
;; MSG SIZE  rcvd: 39


# systemctl stop pdns-recursor

# systemctl stop pdns

# nslookup mageia.org
Server:         212.71.0.33
Address:        212.71.0.33#53

Non-authoritative answer:
Name:   mageia.org
Address: 163.172.148.228
Name:   mageia.org
Address: 2001:bc8:4400:2800::4115

All looks OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-07-07 12:40:20 CEST

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-07 15:03:31 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-07-07 15:48:45 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0286.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.