From: Remi Gacogne Date: Tue, 24 Oct 2017 09:02:57 +0000 (+0200) Subject: Add advisories 2017-03, 2017-04, 2017-05, 2017-06 and 2017-07 X-Git-Tag: auth-4.1.0~17^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=20a220a3eb41c2c6d59a7eefd584dece27af643b;p=thirdparty%2Fpdns.git Add advisories 2017-03, 2017-04, 2017-05, 2017-06 and 2017-07 --- diff --git a/docs/security-advisories/powerdns-advisory-2017-04.rst b/docs/security-advisories/powerdns-advisory-2017-04.rst new file mode 100644 index 0000000000..4c4b321de2 --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2017-04.rst @@ -0,0 +1,32 @@ +PowerDNS Security Advisory 2017-04: Missing check on API operations +=================================================================== + +- CVE: CVE-2017-15091 +- Date: November 27th 2017 +- Credit: everyman +- Affects: PowerDNS Authoritative up to and including 4.0.4, 3.4.11 +- Not affected: PowerDNS Authoritative 4.0.5 +- Severity: Low +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker with valid + API credentials +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in the API component of PowerDNS Authoritative, +where some operations that have an impact on the state of the server +are still allowed even though the API has been configured as read-only +via the +`api-readonly `__ +keyword. +This missing check allows an attacker with valid API credentials could flush +the cache, trigger a zone transfer or send a NOTIFY. This issue has been +assigned CVE-2017-15091. + +PowerDNS Authoritative up to and including 4.0.4 and 3.4.11 are affected. + +For those unable to upgrade to a new version, a minimal patch is +`available `__ + +We would like to thank everyman for finding and subsequently reporting +this issue. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-03.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-03.rst new file mode 100644 index 0000000000..c13a066d13 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-03.rst @@ -0,0 +1,28 @@ +PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures +================================================================================ + +- CVE: CVE-2017-15090 +- Date: November 27th 2017 +- Credit: Kees Monshouwer +- Affects: PowerDNS Recursor from 4.0.0 and up to and including 4.0.6 +- Not affected: PowerDNS Recursor < 4.0.0, 4.0.7 +- Severity: Medium +- Impact: Records manipulation +- Exploit: This problem can be triggered by an attacker in position of + man-in-the-middle +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in the DNSSEC validation component of PowerDNS Recursor, +where the signatures might have been accepted as valid even if the signed data +was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in +position of man-in-the-middle to alter the content of records by issuing a valid +signature for the crafted records. This issue has been assigned CVE-2017-15090. + +PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected. + +For those unable to upgrade to a new version, a minimal patch is +`available `__ + +We would like to thank Kees Monshouwer for finding and subsequently reporting +this issue. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-05.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-05.rst new file mode 100644 index 0000000000..5ab5e4703c --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-05.rst @@ -0,0 +1,27 @@ +PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface +============================================================================= + +- CVE: CVE-2017-15092 +- Date: November 27th 2017 +- Credit: Nixu, Chris Navarrete of Fortinet's Fortiguard Labs +- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6 +- Not affected: PowerDNS Recursor 4.0.7, 3.7.x +- Severity: Medium +- Impact: Alteration and denial of service of the web interface +- Exploit: This problem can be triggered by an attacker sending DNS queries + to the server +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in the web interface of PowerDNS Recursor, where the +qname of DNS queries was displayed without any escaping, allowing a remote +attacker to inject HTML and Javascript code into the web interface, altering +the content. This issue has been assigned CVE-2017-15092. + +PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected. + +For those unable to upgrade to a new version, a minimal patch is +`available `__ + +We would like to thank Nixu and Chris Navarrete of Fortinet's Fortiguard Labs +for independently finding and reporting this issue. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-06.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-06.rst new file mode 100644 index 0000000000..635c7cf7e9 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-06.rst @@ -0,0 +1,33 @@ +PowerDNS Security Advisory 2017-06: Configuration file injection in the API +=========================================================================== + +- CVE: CVE-2017-15093 +- Date: November 27th 2017 +- Credit: Nixu +- Affects: PowerDNS Recursor up to and including 4.0.6, 3.7.4 +- Not affected: PowerDNS Recursor 4.0.7 +- Severity: Medium +- Impact: Alteration of configuration by an API user +- Exploit: This problem can be triggered by an attacker with valid API + credentials +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: Disable the ability to alter the configuration via the API + by setting `api-config-dir` to an empty value (default), or set the API + read-only via the `api-readonly` setting. + +An issue has been found in the API of PowerDNS Recursor during a source code +audit by Nixu. When `api-config-dir` is set to a non-empty value, which is not +the case by default, the API allows an authorized user to update the Recursor's +ACL by adding and removing netmasks, and to configure forward zones. It was +discovered that the new netmask and IP addresses of forwarded zones were not +sufficiently validated, allowing an authenticated user to inject new +configuration directives into the Recursor's configuration. This issue has been +assigned CVE-2017-15093. + +PowerDNS Recursor up to and including 4.0.6 and 3.7.4 are affected. + +For those unable to upgrade to a new version, a minimal patch is +`available `__ + +We would like to thank Nixu for finding and subsequently reporting this issue. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-07.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-07.rst new file mode 100644 index 0000000000..a8537ff0ca --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-07.rst @@ -0,0 +1,30 @@ +PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing +================================================================= + +- CVE: CVE-2017-15094 +- Date: November 27th 2017 +- Credit: Nixu +- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6 +- Not affected: PowerDNS Recursor 4.0.7 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an authoritative server + sending crafted ECDSA DNSSEC keys to the Recursor. +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: Disable DNSSEC validation by setting the `dnssec` parameter + to `off` or `process-no-validate` (default). + +An issue has been found in the DNSSEC parsing code of PowerDNS Recursor during +a code audit by Nixu, leading to a memory leak when parsing specially crafted +DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by +setting `dnssec` to a value other than `off` or `process-no-validate` (default). +This issue has been assigned CVE-2017-15094. + +PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected. + +For those unable to upgrade to a new version, a minimal patch is +`available `__ + +We would like to thank Nixu for finding and subsequently reporting +this issue.