Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872212 (CVE-2019-10190, CVE-2019-19331, CVE-2020-12667, CVE-2021-40083, CVE-2022-40188) - net-dns/knot: multiple vulnerabilities
Summary: net-dns/knot: multiple vulnerabilities
Status: RESOLVED INVALID
Alias: CVE-2019-10190, CVE-2019-19331, CVE-2020-12667, CVE-2021-40083, CVE-2022-40188
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.knot-resolver.cz/2022-09-...
Whiteboard: B3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-21 14:54 UTC by John Helmert III
Modified: 2022-09-21 20:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 14:54:47 UTC
"fix CPU-expensive DoS by malicious domains - CVE-2022-40188"

Please bump to 5.5.3.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 15:11:36 UTC
CVE-2021-40083 (https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169):

Knot Resolver before 5.3.2 is prone to an assertion failure, triggerable by a remote attacker in an edge case (NSEC3 with too many iterations used for a positive wildcard proof).

CVE-2020-12667 (https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/):
https://www.knot-resolver.cz/2020-05-19-knot-resolver-5.1.1.html

Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.

CVE-2019-19331 (https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html):

knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

CVE-2019-10190 (https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html):

A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 15:12:51 UTC
Oh, is this invalid in the same way as bug 711420?
Comment 3 Pierre-Olivier Mercier 2022-09-21 20:31:01 UTC
Hi ajak!

I just check those links, indeed they only target knot-resolver. Our package net-dns/knot did not include the resolver project, it's just the authoritative part. We are not concerned!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 20:34:34 UTC
Thanks for confirming!