Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 8 Jul 2017 14:40:16 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: daniel.salzman@....cz, ondrej@...ian.org
Subject: Re: CVE for the TSIG issue in knot?

Hi

On Sat, Jun 24, 2017 at 02:28:20PM +0200, Solar Designer wrote:
> On Sat, Jun 24, 2017 at 01:58:23PM +0200, Yves-Alexis Perez wrote:
> > I noticed the recent issue in knot with TSIG bypass
> > (https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html)
> 
> Is is inappropriate to post only a link in here.  In cases like this,
> please also quote at least the most essential portion of the content
> you're referring to, which is:
> 
> "CZ.NIC has released Knot DNS 2.5.2 and Knot DNS 2.4.5. Beside
> several fixes and improvements, these versions fix a flaw within the
> TSIG protocol implementation that would allow an attacker with a
> valid key name and algorithm to bypass the TSIG authentication if no
> additional ACL restrictions is set. This vulnerability was
> discovered by security experts from Synacktiv.  Special thanks to
> them!"

FTR, this issue has been assigned CVE-2017-11104.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11104

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ