Bug 1173302 - (CVE-2020-14196) VUL-1: CVE-2020-14196: pdns-recursor: access restriction bypass
(CVE-2020-14196)
VUL-1: CVE-2020-14196: pdns-recursor: access restriction bypass
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/262216
CVSSv3.1:SUSE:CVE-2020-14196:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-24 08:55 UTC by Wolfgang Frisch
Modified: 2022-03-29 09:50 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Fergal Mc Carthy 2020-06-26 20:01:37 UTC
Reviewing the 4.1.16 version of the patch I noticed that it doesn't apply to the Devel:Cloud:8 & Devel:Cloud:9 4.1 based packages. Digging a little deeper I realised that this CVE is relevant to the pdns-recursor package which packages up the PowerDNS Recursor server as per https://doc.powerdns.com/recursor/changelog/4.1.html, and not the pdns package (included in SOC 8 & 9) which packages the PowerDNS Authoritative server as per https://doc.powerdns.com/authoritative/changelog/4.1.html.

As such I'm not sure that any work needs to be undertaken for SOC 8 or 9.
Comment 5 Keith Berger 2020-06-29 13:14:04 UTC
Security, please review and see if more work is needed from the Cloud team
Comment 6 Alexandros Toptsoglou 2020-07-01 12:55:28 UTC
Now public through https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html
Comment 7 OBSbugzilla Bot 2020-07-01 20:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1173302) was mentioned in
https://build.opensuse.org/request/show/818168 Factory / pdns-recursor
Comment 8 OBSbugzilla Bot 2020-07-01 21:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (1173302) was mentioned in
https://build.opensuse.org/request/show/818174 15.1+15.2+Backports:SLE-12-SP1+Backports:SLE-15-SP1 / pdns-recursor
Comment 9 Adam Majer 2020-07-02 09:01:54 UTC
Bug public. Security advisory for pdns-recursor.

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html


PowerDNS Security Advisory 2020-04: Access restriction bypass

  CVE: CVE-2020-14196
  Date: July 1st 2020
  Affects: PowerDNS Recursor up to and including 4.3.1, 4.2.2 and 4.1.16
  Not affected: 4.3.2, 4.2.3, 4.1.17
  Severity: Low
  Impact: Access restriction bypass
  Exploit: This problem can be triggered by sending HTTP queries
  Risk of system compromise: No
  Solution: Upgrade to a non-affected version
  Workaround: Disable the webserver, set a password or an API key. Additionally, restrict the binding address using the webserver-address setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.

An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction.

In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.
Comment 10 Adam Majer 2020-07-02 09:03:08 UTC
Bug fixes submitted to all maintained codestreams. Reassigning back to security-team for tracking.
Comment 11 Marcus Meissner 2020-07-02 09:24:02 UTC
ok, was reassigend to adam and he submitted ... back to us.
Comment 12 Swamp Workflow Management 2020-07-19 13:14:40 UTC
openSUSE-SU-2020:1005-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173302
CVE References: CVE-2020-14196
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-recursor-4.1.17-22.1
Comment 13 Swamp Workflow Management 2020-07-19 13:16:39 UTC
openSUSE-SU-2020:1005-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173302
CVE References: CVE-2020-14196
Sources used:
openSUSE Leap 15.2 (src):    pdns-recursor-4.3.2-lp152.2.3.1
openSUSE Leap 15.1 (src):    pdns-recursor-4.1.12-lp151.3.6.1
openSUSE Backports SLE-15-SP1 (src):    pdns-recursor-4.1.12-bp151.4.6.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-recursor-4.1.17-22.1
Comment 14 Swamp Workflow Management 2020-09-18 16:27:05 UTC
openSUSE-SU-2020:1055-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173302
CVE References: CVE-2020-14196
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    pdns-recursor-4.1.12-bp152.2.4.1
Comment 15 Swamp Workflow Management 2020-09-18 16:29:32 UTC
openSUSE-SU-2020:1101-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173302
CVE References: CVE-2020-14196
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    pdns-recursor-4.3.2-bp152.2.8.1
Comment 16 Swamp Workflow Management 2020-10-17 19:16:11 UTC
openSUSE-SU-2020:1687-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1173302,1177383
CVE References: CVE-2020-14196,CVE-2020-25829
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    pdns-recursor-4.3.5-lp152.2.6.1
openSUSE Leap 15.1 (src):    pdns-recursor-4.1.12-lp151.3.9.1
openSUSE Backports SLE-15-SP2 (src):    pdns-recursor-4.3.5-bp152.2.12.1
openSUSE Backports SLE-15-SP1 (src):    pdns-recursor-4.1.12-bp151.4.9.1
Comment 17 Swamp Workflow Management 2020-10-17 19:17:17 UTC
openSUSE-SU-2020:1687-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1173302,1177383
CVE References: CVE-2020-14196,CVE-2020-25829
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    pdns-recursor-4.3.5-lp152.2.6.1
openSUSE Leap 15.1 (src):    pdns-recursor-4.1.12-lp151.3.9.1
openSUSE Backports SLE-15-SP2 (src):    pdns-recursor-4.3.5-bp152.2.12.1
openSUSE Backports SLE-15-SP1 (src):    pdns-recursor-4.1.12-bp151.4.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-recursor-4.1.18-25.1
Comment 18 Marcus Meissner 2021-08-05 13:50:48 UTC
done
Comment 19 OBSbugzilla Bot 2022-03-29 09:50:27 UTC
This is an autogenerated message for OBS integration:
This bug (1173302) was mentioned in
https://build.opensuse.org/request/show/965588 Backports:SLE-12-SP4 / pdns-recursor