Bug 2222672 (CVE-2023-7008)

Summary: CVE-2023-7008 systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, carnil, chazlett, dfreiber, eaguilar, ebaron, jburrell, jkang, jpallich, lnykryn, luca.boccassi, msekleta, pemensik, pjindal, rogbas, sfroberg, systemd-maint, vkumar, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd-25X Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222674, 2222675, 2222676, 2255718    
Bug Blocks: 2222260, 2222673    

Description Zack Miele 2023-07-13 12:43:01 UTC 
systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
Comment 3 Lukáš Nykrýn 2023-07-13 13:56:54 UTC 
I think in rhel we need to document that the dnssec validation in systemd-resolved is not the validation that you expect.

Basically, the behaviour is good to, for example show a semaphore in a browser that will say validated/no clue/wrong when you use resolved dbus API.
For more traditional uses, it is unusable. Maybe with DNSOverTLS you would be fine.

Also, we can create an insight rule to warn about this.
Comment 4 Petr Menšík 2023-09-13 18:56:06 UTC 
No, I do not think DNSOverTLS fixes the issue. It does not protect against spoofing, which is the purpose of DNSSEC. It does not protect signed zones such as fedoraproject.org. If you want to spoof anything, you just strip signatures and provide any value you want.

It should be properly documented until it is fixed properly. This behaviour might be acceptable for DNSSEC=allow-downgrade, if the accepted name were marked somehow. But for DNSSEC=yes I am quite sure this is not wanted behaviour. No documentation will help.

Semaphore in the browser is useless if the remote attacker is able to disable it on will or disable validation only for selected hosts. One page consists usually from many hostnames serving different kind of resources. Single indicator for the whole site would not help.
Comment 5 Salvatore Bonaccorso 2023-12-22 07:29:48 UTC 
This seems related to https://github.com/systemd/systemd/issues/25676 is this correct?
Comment 6 Luca Boccassi 2023-12-22 12:06:19 UTC 
Was this CVE requested by Redhat? As far as I am aware, we were not consulted on this, neither before not after. This is very much not ok.
Comment 7 Petr Menšík 2023-12-22 21:10:03 UTC 
(In reply to Salvatore Bonaccorso from comment #5)
> This seems related to https://github.com/systemd/systemd/issues/25676 is
> this correct?

Yes, that is the second upstream issue for the same thing, first was https://github.com/systemd/systemd/issues/15158. But the second one has more valuable discussion IMO.
Comment 9 errata-xmlrpc 2024-04-30 10:55:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2463 https://access.redhat.com/errata/RHSA-2024:2463
Comment 10 errata-xmlrpc 2024-05-22 10:17:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3203 https://access.redhat.com/errata/RHSA-2024:3203