Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 644710 (CVE-2018-1000003)

Summary: <net-dns/pdns-recursor-4.1.1: Insufficient validation of DNSSEC signatures (CVE-2018-1000003)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-15 22:20:07 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-22 15:07:47 UTC
PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures¶

CVE: CVE-2018-1000003

Date: January 22nd 2018

Credit: CZ.NIC

Affects: PowerDNS Recursor 4.1.0

Not affected: PowerDNS Recursor < 4.1.0, 4.1.1

Severity: Low

Impact: Denial of existence spoofing

Exploit: This problem can be triggered by an attacker in position of man-in-the-middle

Risk of system compromise: No

Solution: Upgrade to a non-affected version

An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist. This issue has been assigned CVE-2018-1000003.

PowerDNS Recursor 4.1.0 is affected.
Comment 2 Sven Wegener gentoo-dev 2018-01-22 15:09:00 UTC
I have committed 4.1.1 to the tree and removed the vulnerable 4.1.0.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-22 15:12:06 UTC
Only affects 4.1.0 which wasn't marked stable. Repository is clean. All done!