Bug 27400 - pdns-recursor new security issue CVE-2020-25829
Summary: pdns-recursor new security issue CVE-2020-25829
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-13 15:59 CEST by David Walser
Modified: 2020-10-24 19:53 CEST (History)
5 users (show)

See Also:
Source RPM: pdns-recursor-4.1.17-1.mga7.src.rpm
CVE: CVE-2020-25829
Status comment:


Attachments

Description David Walser 2020-10-13 15:59:24 CEST
Upstream has issued an advisory today (October 13):
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html

The issue is fixed upstream in 4.1.18 and 4.3.5:
https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.18
https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.5

Mageia 7 is also affected.
David Walser 2020-10-13 15:59:32 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2020-10-14 18:31:05 CEST
Hi, thanks for reporting this bug.
Assigned to all package maintainers as no registered one.
Cc'ed recent commiters.
(Please set the status to 'assigned' if you are working on it)

CC: (none) => geiger.david68210
Assignee: bugsquad => pkg-bugs
Keywords: (none) => Triaged

Comment 2 Nicolas Salguero 2020-10-20 17:07:34 CEST
Suggested advisory:
========================

The updated package fixes a security vulnerability:

An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of service for installation that always validate (dnssec=validate), and for clients requesting validation when on-demand validation is enabled (dnssec=process). (CVE-2020-25829)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25829
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html
https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.18
========================

Updated package in core/updates_testing:
========================
pdns-recursor-4.1.18-1.mga7

from SRPM:
pdns-recursor-4.1.18-1.mga7.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-25829
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: pdns-recursor-4.3.2-1.mga8.src.rpm => pdns-recursor-4.1.17-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Keywords: Triaged => (none)

Comment 3 Herman Viaene 2020-10-23 11:36:34 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues. Installing pdns in addition to follow test prodedure below.
Ref bug 26887 Comment 3 for testing
# systemctl  stop dnsmasq
Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.

# systemctl  start pdns

# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-10-23 11:29:31 CEST; 14s ago
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
 Main PID: 11717 (pdns_server)
    Tasks: 8 (limit: 4915)
   Memory: 4.5M
   CGroup: /system.slice/pdns.service
           └─11717 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no

Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: TCP server bound to 0.0.0.0:53
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: TCPv6 server bound to [::]:53
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: PowerDNS Authoritative Server 4.1.14 (C) 2001-2018 PowerDNS.COM BV
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Using 64-bits mode. Built using gcc 8.4.0.
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it acco>
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Polled security status of version 4.1.14 at startup, no known issues reported: OK
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Creating backend connection for TCP
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: About to create 3 backend threads for UDP
Oct 23 11:29:31 mach5.hviaene.thuis systemd[1]: Started PowerDNS Authoritative Server.
Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Done launching threads, ready to distribute questions

# systemctl start pdns-recursor

# systemctl -l status pdns-recursor
● pdns-recursor.service - PowerDNS Recursor
   Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-10-23 11:30:12 CEST; 14s ago
     Docs: man:pdns_recursor(1)
           man:rec_control(1)
           https://doc.powerdns.com
 Main PID: 14454 (pdns_recursor)
    Tasks: 5 (limit: 4915)
   Memory: 4.4M
   CGroup: /system.slice/pdns-recursor.service
           └─14454 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no

Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Listening for UDP queries on 127.0.0.1:5300
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Enabled TCP data-ready filter for (slight) DoS protection
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Listening for TCP queries on 127.0.0.1:5300
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Set effective group id to 967
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Set effective user id to 975
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Launching 3 threads
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Done priming cache with root hints
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Enabled 'epoll' multiplexer
Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Done priming cache with root hints
Oct 23 11:30:12 mach5.hviaene.thuis systemd[1]: Started PowerDNS Recursor.

# netstat -pantu | grep pdns
tcp        0      0 127.0.0.1:5300          0.0.0.0:*               LISTEN      14454/pdns_recursor 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      11717/pdns_server   
tcp6       0      0 :::53                   :::*                    LISTEN      11717/pdns_server   
udp        0      0 127.0.0.1:5300          0.0.0.0:*                           14454/pdns_recursor 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           11717/pdns_server   
udp6       0      0 :::53                   :::*                                11717/pdns_server   

# dig mageia.org @127.0.0.1 -p 53

; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> mageia.org @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48929
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 23 11:31:22 CEST 2020
;; MSG SIZE  rcvd: 39


# systemctl stop pdns-recursor

# systemctl stop pdns

# nslookup mageia.org
Server:         212.71.0.33
Address:        212.71.0.33#53

Non-authoritative answer:
Name:   mageia.org
Address: 163.172.148.228
Name:   mageia.org
Address: 2001:bc8:628:1f00::1

All looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Aurelien Oudelet 2020-10-23 12:02:20 CEST
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 5 Mageia Robot 2020-10-24 19:53:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0393.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.