Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 Dec 2019 17:48:33 +0100
From: Vladimír Čunát <vladimir.cunat@....cz>
To: oss-security@...ts.openwall.com, knot-resolver-announce@...ts.nic.cz
Subject: [CVE-2019-19331] Knot Resolver 4.3.0 security release

Hello everyone,
here are some details on the vulnerability (fix) disclosed today.

Impact
======
Some DNS packets might take even a few seconds to process with full CPU utilization, allowing DoS.

Unembargo date
==============
Wednesday 4th December 2019, afternoon GMT

Fixes
=====
Most of the issue can be mitigated by updating libknot dependency to >= 2.9.1.

Otherwise a complete fix was released in Knot Resolver 4.3.0, which also does not require libknot update.
The attached patches are applicable to recent releases (when doc diff is stripped).


[Affected version (required)]:
Knot Resolver <= 4.2.2

[Fixed version (optional)]:
Knot Resolver 4.3.0

[Vulnerability type]:
CWE-407: Inefficient Algorithmic Complexity

[Impact of exploitation]:
Denial of service through high CPU utilization.

[Description of vulnerability]:
DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message.  For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

To execute an attack it is enough to:
+ own a rogue authoritative server or utilize an existing name with a huge RRset, and
+ trigger DNS query for that name from the resolver to be attacked


Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Technical Details:
CWE-407

[Reference URL]:
https://gitlab.labs.nic.cz/knot/knot-resolver/tags/v4.3.0

--Vladimir


Content of type "text/html" skipped

View attachment "big-rrset.patch" of type "text/plain" (14902 bytes)

View attachment "cname-limit.patch" of type "text/x-patch" (3377 bytes)

View attachment "big-rrset-abort.patch" of type "text/x-patch" (1340 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.