Date: Wed, 4 Dec 2019 17:48:33 +0100 From: Vladimír Čunát <vladimir.cunat@....cz> To: oss-security@...ts.openwall.com, knot-resolver-announce@...ts.nic.cz Subject: [CVE-2019-19331] Knot Resolver 4.3.0 security release Hello everyone, here are some details on the vulnerability (fix) disclosed today. Impact ====== Some DNS packets might take even a few seconds to process with full CPU utilization, allowing DoS. Unembargo date ============== Wednesday 4th December 2019, afternoon GMT Fixes ===== Most of the issue can be mitigated by updating libknot dependency to >= 2.9.1. Otherwise a complete fix was released in Knot Resolver 4.3.0, which also does not require libknot update. The attached patches are applicable to recent releases (when doc diff is stripped). [Affected version (required)]: Knot Resolver <= 4.2.2 [Fixed version (optional)]: Knot Resolver 4.3.0 [Vulnerability type]: CWE-407: Inefficient Algorithmic Complexity [Impact of exploitation]: Denial of service through high CPU utilization. [Description of vulnerability]: DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB). To execute an attack it is enough to: + own a rogue authoritative server or utilize an existing name with a huge RRset, and + trigger DNS query for that name from the resolver to be attacked Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): None Integrity (I): None Availability (A): High Technical Details: CWE-407 [Reference URL]: https://gitlab.labs.nic.cz/knot/knot-resolver/tags/v4.3.0 --Vladimir Content of type "text/html" skipped View attachment "big-rrset.patch" of type "text/plain" (14902 bytes) View attachment "cname-limit.patch" of type "text/x-patch" (3377 bytes) View attachment "big-rrset-abort.patch" of type "text/x-patch" (1340 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.