| Summary: | <net-dns/pdns-recursor-4.1.1: Insufficient validation of DNSSEC signatures (CVE-2018-1000003) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | swegener |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html | ||
| Whiteboard: | ~4 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Thomas Deutschmann (RETIRED)
2018-01-15 22:20:07 UTC
PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures¶ CVE: CVE-2018-1000003 Date: January 22nd 2018 Credit: CZ.NIC Affects: PowerDNS Recursor 4.1.0 Not affected: PowerDNS Recursor < 4.1.0, 4.1.1 Severity: Low Impact: Denial of existence spoofing Exploit: This problem can be triggered by an attacker in position of man-in-the-middle Risk of system compromise: No Solution: Upgrade to a non-affected version An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist. This issue has been assigned CVE-2018-1000003. PowerDNS Recursor 4.1.0 is affected. I have committed 4.1.1 to the tree and removed the vulnerable 4.1.0. Only affects 4.1.0 which wasn't marked stable. Repository is clean. All done! |