Date: Mon, 21 Aug 2017 17:49:18 +0200 From: Remi Gacogne <remi.gacogne@...erdns.com> To: oss-security@...ts.openwall.com Subject: PowerDNS Security Advisories for dnsdist 2017-01 and 2017-02 Hi all, Two security issues of low severity have been reported to us, and we just released a new version of dnsdist, 1.2.0, addressing them: - 2017-01: Crafted backend responses can cause a denial of service - 2017-02: Alteration of ACLs via API authentication bypass The full security advisories are provided below, and can also be found at: - https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-01.html - https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html Minimal patches for 1.1.0 are available for those unable to fully upgrade: - https://downloads.powerdns.com/patches/2017-01/ - https://downloads.powerdns.com/patches/2017-02/ Please feel free to contact me directly if you have any question. - PowerDNS Security Advisory 2017-01 for dnsdist: Crafted backend responses can cause a denial of service CVE: CVE-2016-7069 Date: 2017-08-21 Credit: Guido Vranken Affects: dnsdist up to and including 1.2.0 on 32-bit systems Not affected: dnsdist 1.2.0, dnsdist on 64-bit (all versions) Severity: Low Impact: Degraded service or Denial of service Exploit: This issue can be triggered by sending specially crafted response packets from a backend Risk of system compromise: No Solution: Upgrade to a non-affected version Workaround: Disable EDNS Client Subnet addition An issue has been found in dnsdist in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding the response to the initial client. On a 32-bit system, the pointer arithmetic used when parsing the received response to remove that record might trigger an undefined behavior leading to a crash. dnsdist up to and including 1.1.0 is affected on 32-bit systems. dnsdist 1.2.0 is not affected, dnsdist on 64-bit systems is not affected. For those unable to upgrade to a new version, a minimal patch is available for 1.1.0 We would like to thank Guido Vranken for finding and subsequently reporting this issue. - PowerDNS Security Advisory 2017-02 for dnsdist: Alteration of ACLs via API authentication bypass CVE: CVE-2017-7557 Date: 2017-08-21 Credit: Nixu Affects: dnsdist 1.1.0 Not affected: dnsdist 1.0.0, 1.2.0 Severity: Low Impact: Access restriction bypass Exploit: This issue can be triggered by tricking an authenticated user into visiting a crafted website Risk of system compromise: No Solution: Upgrade to a non-affected version Workaround: Keep the API read-only (default) via setAPIWritable(false) An issue has been found in dnsdist 1.1.0, in the API authentication mechanism. API methods should only be available to a user authenticated via an X-API-Key HTTP header, and not to a user authenticated on the webserver via Basic Authentication, but it was discovered by Nixu during a source code audit that dnsdist 1.1.0 allows access to all API methods to both kind of users. In the default configuration, the API does not provide access to more information than the webserver does, and therefore this issue has no security implication. However if the API is allowed to make configuration changes, via the setAPIWritable(true) option, this allows a remote unauthenticated user to trick an authenticated user into editing dnsdist’s ACLs by making him visit a crafted website containing a Cross-Site Request Forgery. For those unable to upgrade to a new version, a minimal patch is available for 1.1.0 -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ