Bug 2222672 (CVE-2023-7008) - CVE-2023-7008 systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes
Summary: CVE-2023-7008 systemd-resolved: Unsigned name response in signed zone is not ...
Keywords:
Status: NEW
Alias: CVE-2023-7008
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2222674 2222675 2222676 2255718
Blocks: 2222260 2222673
TreeView+ depends on / blocked
 
Reported: 2023-07-13 12:43 UTC by Zack Miele
Modified: 2024-07-04 23:58 UTC (History)
19 users (show)

Fixed In Version: systemd-25X
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd issues 15158 0 None closed DNSSEC doesn't prevent MITM 2023-12-22 20:29:42 UTC
Github systemd systemd issues 25676 0 None open resolved DNSSEC validation can be bypassed by MITM 2023-12-22 20:29:42 UTC
Red Hat Product Errata RHSA-2024:2463 0 None None None 2024-04-30 10:55:17 UTC
Red Hat Product Errata RHSA-2024:3203 0 None None None 2024-05-22 10:17:25 UTC

Description Zack Miele 2023-07-13 12:43:01 UTC
systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Comment 3 Lukáš Nykrýn 2023-07-13 13:56:54 UTC
I think in rhel we need to document that the dnssec validation in systemd-resolved is not the validation that you expect.

Basically, the behaviour is good to, for example show a semaphore in a browser that will say validated/no clue/wrong when you use resolved dbus API.
For more traditional uses, it is unusable. Maybe with DNSOverTLS you would be fine.

Also, we can create an insight rule to warn about this.

Comment 4 Petr Menšík 2023-09-13 18:56:06 UTC
No, I do not think DNSOverTLS fixes the issue. It does not protect against spoofing, which is the purpose of DNSSEC. It does not protect signed zones such as fedoraproject.org. If you want to spoof anything, you just strip signatures and provide any value you want.

It should be properly documented until it is fixed properly. This behaviour might be acceptable for DNSSEC=allow-downgrade, if the accepted name were marked somehow. But for DNSSEC=yes I am quite sure this is not wanted behaviour. No documentation will help.

Semaphore in the browser is useless if the remote attacker is able to disable it on will or disable validation only for selected hosts. One page consists usually from many hostnames serving different kind of resources. Single indicator for the whole site would not help.

Comment 5 Salvatore Bonaccorso 2023-12-22 07:29:48 UTC
This seems related to https://github.com/systemd/systemd/issues/25676 is this correct?

Comment 6 Luca Boccassi 2023-12-22 12:06:19 UTC
Was this CVE requested by Redhat? As far as I am aware, we were not consulted on this, neither before not after. This is very much not ok.

Comment 7 Petr Menšík 2023-12-22 21:10:03 UTC
(In reply to Salvatore Bonaccorso from comment #5)
> This seems related to https://github.com/systemd/systemd/issues/25676 is
> this correct?

Yes, that is the second upstream issue for the same thing, first was https://github.com/systemd/systemd/issues/15158. But the second one has more valuable discussion IMO.

Comment 9 errata-xmlrpc 2024-04-30 10:55:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2463 https://access.redhat.com/errata/RHSA-2024:2463

Comment 10 errata-xmlrpc 2024-05-22 10:17:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3203 https://access.redhat.com/errata/RHSA-2024:3203


Note You need to log in before you can comment on or make changes to this bug.