Bug 1610951 (CVE-2018-10920) - CVE-2018-10920 knot-resolver: Improper input validation bug in DNS resolver component
Summary: CVE-2018-10920 knot-resolver: Improper input validation bug in DNS resolver c...
Status: CLOSED CURRENTRELEASE
Alias: CVE-2018-10920
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180802,repor...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-01 16:55 UTC by Pedro Sampaio
Modified: 2018-08-20 11:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-08-20 11:16:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Pedro Sampaio 2018-08-01 16:55:31 UTC
Improper input validation bug in DNS resolver component of knot-resolver before 2.4.1 allows remote attacker to poison cache.

References:

https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html

Comment 2 Pedro Sampaio 2018-08-01 17:31:00 UTC
Acknowledgments:

Name: Petr Spacek, the CZ.NIC team
Upstream: Marek Vavruza

Comment 4 Petr Špaček 2018-08-02 13:46:12 UTC
[Affected version (required)]:
Knot Resolver <= 2.4.0

[Fixed version (optional)]:
Knot Resolver 2.4.1

[Vulnerability type (required)]:
CWE-20: Improper Input Validation

[Affected component (required)]:
resolver

[Impact of exploitation (required)]:
Under certain circumstances this bug allows an attacker to hijack
DNS domains.

[Description of vulnerability]:
Improper input validation bug in DNS resolver component of Knot
Resolver allows remote attacker to poison cache.

To execute this attack the attacker has to have:
+ access to rogue authoritative server and
+ ability to trigger query from resolver under attack to authoritative
server under attacker's control

For successful exploitation the data used to poison cache need to match
certain criteria which we decided not to disclose at the moment.

Please note that "classical" DNS answer spoofing is going to be very
hard because Knot Resolver randomizes ports, query ID, and query name
capitalization - i.e. plain Kaminsky attack will be difficult. This is
why attacker needs to control an authoritative server.


Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): High
Availability (A): None

Technical Details:
CWE-20

Acknowledgment:
CZ.NIC would like to thank Marek Vavrusa for reporting this issue.

[Reference URL 1 (required)]:
https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html


Note You need to log in before you can comment on or make changes to this bug.