Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 872212 (CVE-2019-10190, CVE-2019-19331, CVE-2020-12667, CVE-2021-40083, CVE-2022-40188)

Summary: net-dns/knot: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: nemunaire, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.knot-resolver.cz/2022-09-21-knot-resolver-5.5.3.html
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 14:54:47 UTC 
"fix CPU-expensive DoS by malicious domains - CVE-2022-40188"

Please bump to 5.5.3.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 15:11:36 UTC 
CVE-2021-40083 (https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169):

Knot Resolver before 5.3.2 is prone to an assertion failure, triggerable by a remote attacker in an edge case (NSEC3 with too many iterations used for a positive wildcard proof).

CVE-2020-12667 (https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/):
https://www.knot-resolver.cz/2020-05-19-knot-resolver-5.1.1.html

Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.

CVE-2019-19331 (https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html):

knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

CVE-2019-10190 (https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html):

A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 15:12:51 UTC 
Oh, is this invalid in the same way as bug 711420?
Comment 3 Pierre-Olivier Mercier 2022-09-21 20:31:01 UTC 
Hi ajak!

I just check those links, indeed they only target knot-resolver. Our package net-dns/knot did not include the resolver project, it's just the authoritative part. We are not concerned!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 20:34:34 UTC 
Thanks for confirming!