Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 624256 (CVE-2017-11104)

Summary: <net-dns/knot-{2.4.5, 2.5.2}: bypass the TSIG authentication
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jstein, maintainer-needed, nemunaire, ondrej, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11104
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-08 13:40:45 UTC 
CZ.NIC has released Knot DNS 2.5.2 and Knot DNS 2.4.5. Beside
several fixes and improvements, these versions fix a flaw within the
TSIG protocol implementation that would allow an attacker with a
valid key name and algorithm to bypass the TSIG authentication if no
additional ACL restrictions is set. 

From $url:

References:

http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf
https://bugs.debian.org/865678
https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 03:49:22 UTC 
Ping

Maintainer, could you please confirm that the bug is fixed in the tree?

It seems that the bug was fixed in the next version (2.5.3 is the latest stable version right now) and the tree has 2.5.2

Thanks
Comment 2 Jonas Stein gentoo-dev 2017-08-01 17:27:04 UTC 
Unfortunately we had to drop the maintainer.
Comment 3 Pierre-Olivier Mercier 2017-08-23 13:35:28 UTC 
Hi,

Indeed, this bug is fixed in the tree. There are only 2.4.5 and 2.5.3 versions in tree (which both include fix in upstream tarball).
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-23 15:25:45 UTC 
(In reply to Pierre-Olivier Mercier from comment #3)
> Hi,
> 
> Indeed, this bug is fixed in the tree. There are only 2.4.5 and 2.5.3
> versions in tree (which both include fix in upstream tarball).

Thank you for the info.

@Security I dropped to ~3 since there are no stable versions in the tree. Could you please confirm to be able to close de report?

Thanks

Gentoo Security Padawan
ChrisADR