From e04aa6553e2458207fdeae2bff812ff5a27317a9 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Mon, 21 Aug 2017 11:42:17 +0200 Subject: [PATCH] dnsdist: Add advisories 2017-01 and 2017-02 --- pdns/dnsdistdist/docs/index_TOC.rst | 1 + .../docs/security-advisories/index.rst | 11 ++++++++++ .../powerdns-advisory-for-dnsdist-2017-01.rst | 22 +++++++++++++++++++ .../powerdns-advisory-for-dnsdist-2017-02.rst | 20 +++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 pdns/dnsdistdist/docs/security-advisories/index.rst create mode 100644 pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-01.rst create mode 100644 pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-02.rst diff --git a/pdns/dnsdistdist/docs/index_TOC.rst b/pdns/dnsdistdist/docs/index_TOC.rst index 3adb836a86..34510ad018 100644 --- a/pdns/dnsdistdist/docs/index_TOC.rst +++ b/pdns/dnsdistdist/docs/index_TOC.rst @@ -17,4 +17,5 @@ Table of Contents manpages/* changelog upgrade_guide + security-advisories/index glossary diff --git a/pdns/dnsdistdist/docs/security-advisories/index.rst b/pdns/dnsdistdist/docs/security-advisories/index.rst new file mode 100644 index 0000000000..973d1fdd8a --- /dev/null +++ b/pdns/dnsdistdist/docs/security-advisories/index.rst @@ -0,0 +1,11 @@ +Security Advisories +=================== +All security advisories for the DNSDist are listed here. + +.. toctree:: + :maxdepth: 1 + :glob: + :reversed: + + powerdns-advisory-for-dnsdist* + diff --git a/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-01.rst b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-01.rst new file mode 100644 index 0000000000..e5b6b23f35 --- /dev/null +++ b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-01.rst @@ -0,0 +1,22 @@ +PowerDNS Security Advisory 2017-01 for dnsdist: Crafted backend responses can cause a denial of service +======================================================================================================= + +- CVE: CVE-2016-7069 +- Date: 2017-08-21 +- Credit: Guido Vranken +- Affects: dnsdist up to and including 1.2.0 on 32-bit systems +- Not affected: dnsdist 1.2.0, dnsdist on 64-bit (all versions) +- Severity: Low +- Impact: Degraded service or Denial of service +- Exploit: This issue can be triggered by sending specially crafted response packets from a backend +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: Disable EDNS Client Subnet addition + +An issue has been found in dnsdist in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding the response to the initial client. On a 32-bit system, the pointer arithmetic used when parsing the received response to remove that record might trigger an undefined behavior leading to a crash. + +dnsdist up to and including 1.1.0 is affected on 32-bit systems. dnsdist 1.2.0 is not affected, dnsdist on 64-bit systems is not affected. + +For those unable to upgrade to a new version, a minimal patch is `available for 1.1.0 `__ + +We would like to thank Guido Vranken for finding and subsequently reporting this issue. diff --git a/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-02.rst b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-02.rst new file mode 100644 index 0000000000..f97db314fb --- /dev/null +++ b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2017-02.rst @@ -0,0 +1,20 @@ +PowerDNS Security Advisory 2017-02 for dnsdist: Alteration of ACLs via API authentication bypass +================================================================================================ + +- CVE: CVE-2017-7557 +- Date: 2017-08-21 +- Credit: Nixu +- Affects: dnsdist 1.1.0 +- Not affected: dnsdist 1.0.0, 1.2.0 +- Severity: Low +- Impact: Access restriction bypass +- Exploit: This issue can be triggered by tricking an authenticated user into visiting a crafted website +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: Keep the API read-only (default) via setAPIWritable(false) + +An issue has been found in dnsdist 1.1.0, in the API authentication mechanism. API methods should only be available to a user authenticated via an X-API-Key HTTP header, and not to a user authenticated on the webserver via Basic Authentication, but it was discovered by Nixu during a source code audit that dnsdist 1.1.0 allows access to all API methods to both kind of users. + +In the default configuration, the API does not provide access to more information than the webserver does, and therefore this issue has no security implication. However if the API is allowed to make configuration changes, via the setAPIWritable(true) option, this allows a remote unauthenticated user to trick an authenticated user into editing dnsdist's ACLs by making him visit a crafted website containing a Cross-Site Request Forgery. + +For those unable to upgrade to a new version, a minimal patch is `available for 1.1.0 `__ -- 2.47.2