Bug 1510570 – CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1510570 - (CVE-2017-15107) CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records

Summary:	CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records

Status:	CLOSED NOTABUG

Aliases:	CVE-2017-15107

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180119,repor...
Keywords:	Security

Depends On:	1536903
Blocks:	1507052
	Show dependency tree / graph

Reported:	2017-11-07 11:59 EST by Adam Mariš
Modified:	2018-02-12 04:00 EST (History)
CC List:	25 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Dnsmasq's implementation of DNSSEC. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-01-21 20:44:13 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-11-07 11:59:10 EST

A vulnerability in DNSSEC implementation of Dnsmasq was found. Processing of wildcard synthesized NSEC records may result in improper validation for non-existance in some implementations of DNSSEC. While synthesis of NSEC records is allowed by RFC4592, the synthesized owner names should not be used in the NSEC processing.

Comment 1 Adam Mariš 2017-11-07 11:59:13 EST

Acknowledgments:

Name: Ralph Dolmans (NLnet Labs), Karst Koymans (University of Amsterdam)

Comment 2 Doran Moppert 2018-01-21 20:40:56 EST

External References:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6

Comment 3 Doran Moppert 2018-01-21 20:41:40 EST

Statement:

Versions of Dnsmasq shipped with Red Hat Enterprise Linux are built without DNSSEC support, so they are not affected by this issue.

Comment 4 Doran Moppert 2018-01-21 20:42:49 EST

Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1536903]

Note You need to log in before you can comment on or make changes to this bug.

apevec
chrisw
dougsland
dustymabe
itamar
jima
jjoyce
jschluet
kbasil
laine
lhh
lpeer
markmc
mburns
pavlix
p
pemensik
rbryant
sclewis
security-response-team
slinaber
srevivo
tdecacqu
thozza
veillard