628578 – (CVE-2017-7557) <net-dns/dnsdist-1.2.0: alteration of ACLs via API authentication bypass (CVE-2017-7557)

Bug 628578 (CVE-2017-7557) - <net-dns/dnsdist-1.2.0: alteration of ACLs via API authentication bypass (CVE-2017-7557)

Summary: <net-dns/dnsdist-1.2.0: alteration of ACLs via API authentication bypass (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2017-7557

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~3 [noglsa cve]
Keywords:

Depends on:	CVE-2016-7069
Blocks:
	Show dependency tree

Reported:	2017-08-22 08:29 UTC by Aleksandr Wagner (Kivak)
Modified:	2017-10-28 19:22 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2016-7069
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-08-22 08:29:35 UTC

From $URL:

An issue has been found in dnsdist 1.1.0, in the API authentication mechanism. API methods should only be available to a user authenticated via an X-API-Key HTTP header, and not to a user authenticated on the webserver via Basic Authentication, but it was discovered by Nixu during a source code audit that dnsdist 1.1.0 allows access to all API methods to both kind of users.

In the default configuration, the API does not provide access to more information than the webserver does, and therefore this issue has no security implication. However if the API is allowed to make configuration changes, via the setAPIWritable(true) option, this allows a remote unauthenticated user to trick an authenticated user into editing dnsdist’s ACLs by making him visit a crafted website containing a Cross-Site Request Forgery.

Reference:

https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html

Comment 1 Larry the Git Cow gentoo-dev

2017-10-28 09:53:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c50a5d191b47143338b15a86ce6e36fd1b7abca

commit 1c50a5d191b47143338b15a86ce6e36fd1b7abca
Author:     bgo <bgo@9dt.de>
AuthorDate: 2017-09-02 16:44:59 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-10-28 09:52:07 +0000

    net-dns/dnsdist: version bump to 1.2.0.
    
    Bug: https://bugs.gentoo.org/628534
    Bug: https://bugs.gentoo.org/628578
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 net-dns/dnsdist/Manifest             |  2 +-
 net-dns/dnsdist/dnsdist-1.2.0.ebuild | 86 ++++++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e40b9b455b925425198ed2d250fc997b3bc56b94

commit e40b9b455b925425198ed2d250fc997b3bc56b94
Author:     bgo <bgo@9dt.de>
AuthorDate: 2017-09-02 16:43:53 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-10-28 09:51:50 +0000

    net-dns/dnsdist: remove vulnerable version.
    
    CVE-2016-7069
    CVE-2017-7557
    
    Bug: https://bugs.gentoo.org/628534
    Bug: https://bugs.gentoo.org/628578
    
    Closes: https://github.com/gentoo/gentoo/pull/5596

 net-dns/dnsdist/dnsdist-1.1.0-r1.ebuild | 84 ---------------------------------
 1 file changed, 84 deletions(-)}

Comment 2 Patrice Clement gentoo-dev

2017-10-28 09:57:51 UTC

Stabilisation takes place in bug 628534.

Security team,

Please vote.