Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 644710 (CVE-2018-1000003) - <net-dns/pdns-recursor-4.1.1: Insufficient validation of DNSSEC signatures (CVE-2018-1000003)
Summary: <net-dns/pdns-recursor-4.1.1: Insufficient validation of DNSSEC signatures (C...
Alias: CVE-2018-1000003
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa cve]
Depends on:
Reported: 2018-01-15 22:20 UTC by Thomas Deutschmann
Modified: 2018-01-22 15:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2018-01-15 22:20:07 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-01-22 15:07:47 UTC
PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures¶

CVE: CVE-2018-1000003

Date: January 22nd 2018

Credit: CZ.NIC

Affects: PowerDNS Recursor 4.1.0

Not affected: PowerDNS Recursor < 4.1.0, 4.1.1

Severity: Low

Impact: Denial of existence spoofing

Exploit: This problem can be triggered by an attacker in position of man-in-the-middle

Risk of system compromise: No

Solution: Upgrade to a non-affected version

An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist. This issue has been assigned CVE-2018-1000003.

PowerDNS Recursor 4.1.0 is affected.
Comment 2 Sven Wegener gentoo-dev 2018-01-22 15:09:00 UTC
I have committed 4.1.1 to the tree and removed the vulnerable 4.1.0.
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-01-22 15:12:06 UTC
Only affects 4.1.0 which wasn't marked stable. Repository is clean. All done!