Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 628578 (CVE-2017-7557)

Summary: <net-dns/dnsdist-1.2.0: alteration of ACLs via API authentication bypass (CVE-2017-7557)
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bgo, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1483867
See Also: https://bugs.gentoo.org/show_bug.cgi?id=628534
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 628534    
Bug Blocks:    

Description Aleksandr Wagner (Kivak) 2017-08-22 08:29:35 UTC 
From $URL:

An issue has been found in dnsdist 1.1.0, in the API authentication mechanism. API methods should only be available to a user authenticated via an X-API-Key HTTP header, and not to a user authenticated on the webserver via Basic Authentication, but it was discovered by Nixu during a source code audit that dnsdist 1.1.0 allows access to all API methods to both kind of users.

In the default configuration, the API does not provide access to more information than the webserver does, and therefore this issue has no security implication. However if the API is allowed to make configuration changes, via the setAPIWritable(true) option, this allows a remote unauthenticated user to trick an authenticated user into editing dnsdist’s ACLs by making him visit a crafted website containing a Cross-Site Request Forgery.

Reference:

https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html
Comment 1 Larry the Git Cow gentoo-dev 2017-10-28 09:53:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c50a5d191b47143338b15a86ce6e36fd1b7abca

commit 1c50a5d191b47143338b15a86ce6e36fd1b7abca
Author:     bgo <bgo@9dt.de>
AuthorDate: 2017-09-02 16:44:59 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-10-28 09:52:07 +0000

    net-dns/dnsdist: version bump to 1.2.0.
    
    Bug: https://bugs.gentoo.org/628534
    Bug: https://bugs.gentoo.org/628578
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 net-dns/dnsdist/Manifest             |  2 +-
 net-dns/dnsdist/dnsdist-1.2.0.ebuild | 86 ++++++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e40b9b455b925425198ed2d250fc997b3bc56b94

commit e40b9b455b925425198ed2d250fc997b3bc56b94
Author:     bgo <bgo@9dt.de>
AuthorDate: 2017-09-02 16:43:53 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-10-28 09:51:50 +0000

    net-dns/dnsdist: remove vulnerable version.
    
    CVE-2016-7069
    CVE-2017-7557
    
    Bug: https://bugs.gentoo.org/628534
    Bug: https://bugs.gentoo.org/628578
    
    Closes: https://github.com/gentoo/gentoo/pull/5596

 net-dns/dnsdist/dnsdist-1.1.0-r1.ebuild | 84 ---------------------------------
 1 file changed, 84 deletions(-)}
Comment 2 Patrice Clement (RETIRED) gentoo-dev 2017-10-28 09:57:51 UTC 
Stabilisation takes place in bug 628534.

Security team,

Please vote.