PowerDNS Security Advisories for dnsdist 2017-01 and 2017-02

[Remi Gacogne <remi.gacogne () powerdns com>]

Hi all,

Two security issues of low severity have been reported to us, and we
just released a new version of dnsdist, 1.2.0, addressing them:
- 2017-01: Crafted backend responses can cause a denial of service
- 2017-02: Alteration of ACLs via API authentication bypass

The full security advisories are provided below, and can also be
found at:
-
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-01.html
-
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html

Minimal patches for 1.1.0 are available for those unable to fully upgrade:
- https://downloads.powerdns.com/patches/2017-01/
- https://downloads.powerdns.com/patches/2017-02/

Please feel free to contact me directly if you have any question.

- PowerDNS Security Advisory 2017-01 for dnsdist: Crafted backend
responses can cause a denial of service

CVE: CVE-2016-7069
Date: 2017-08-21
Credit: Guido Vranken
Affects: dnsdist up to and including 1.2.0 on 32-bit systems
Not affected: dnsdist 1.2.0, dnsdist on 64-bit (all versions)
Severity: Low
Impact: Degraded service or Denial of service
Exploit: This issue can be triggered by sending specially crafted
response packets from a backend
Risk of system compromise: No
Solution: Upgrade to a non-affected version
Workaround: Disable EDNS Client Subnet addition
An issue has been found in dnsdist in the way EDNS0 OPT records are
handled when parsing responses from a backend. When dnsdist is
configured to add EDNS Client Subnet to a query, the response may
contain an EDNS0 OPT record that has to be removed before forwarding the
response to the initial client. On a 32-bit system, the pointer
arithmetic used when parsing the received response to remove that record
might trigger an undefined behavior leading to a crash.

dnsdist up to and including 1.1.0 is affected on 32-bit systems. dnsdist
1.2.0 is not affected, dnsdist on 64-bit systems is not affected.

For those unable to upgrade to a new version, a minimal patch is
available for 1.1.0

We would like to thank Guido Vranken for finding and subsequently
reporting this issue.

- PowerDNS Security Advisory 2017-02 for dnsdist: Alteration of ACLs via
API authentication bypass
CVE: CVE-2017-7557
Date: 2017-08-21
Credit: Nixu
Affects: dnsdist 1.1.0
Not affected: dnsdist 1.0.0, 1.2.0
Severity: Low
Impact: Access restriction bypass
Exploit: This issue can be triggered by tricking an authenticated user
into visiting a crafted website
Risk of system compromise: No
Solution: Upgrade to a non-affected version
Workaround: Keep the API read-only (default) via setAPIWritable(false)
An issue has been found in dnsdist 1.1.0, in the API authentication
mechanism. API methods should only be available to a user authenticated
via an X-API-Key HTTP header, and not to a user authenticated on the
webserver via Basic Authentication, but it was discovered by Nixu during
a source code audit that dnsdist 1.1.0 allows access to all API methods
to both kind of users.

In the default configuration, the API does not provide access to more
information than the webserver does, and therefore this issue has no
security implication. However if the API is allowed to make
configuration changes, via the setAPIWritable(true) option, this allows
a remote unauthenticated user to trick an authenticated user into
editing dnsdist’s ACLs by making him visit a crafted website containing
a Cross-Site Request Forgery.

For those unable to upgrade to a new version, a minimal patch is
available for 1.1.0

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

Attachment: signature.asc
Description: OpenPGP digital signature