Bug 1197525 - VUL-0: CVE-2022-27227: pdns,pdns-recursor: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
VUL-0: CVE-2022-27227: pdns,pdns-recursor: incomplete validation of incoming ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/327234/#p...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-25 13:00 UTC by Gianluca Gabrielli
Modified: 2022-04-07 07:21 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream patch 4.6.0 (2.98 KB, patch)
2022-03-25 14:30 UTC, Gianluca Gabrielli
Details | Diff
upstream patch pdns 4.5.3 (2.98 KB, patch)
2022-03-25 14:30 UTC, Gianluca Gabrielli
Details | Diff
upstream patch pdns 4.4.2 (2.96 KB, patch)
2022-03-25 14:30 UTC, Gianluca Gabrielli
Details | Diff
upstream patch pdns-recursor 4.6.0 (2.98 KB, patch)
2022-03-25 14:31 UTC, Gianluca Gabrielli
Details | Diff
upstream patch pdns-recursor 4.5.7 (7.61 KB, patch)
2022-03-25 14:31 UTC, Gianluca Gabrielli
Details | Diff
upstream patch pdns-recursor 4.4.7 (7.61 KB, patch)
2022-03-25 14:31 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2022-03-25 13:00:05 UTC
In the Authoritative server this issue only applies to secondary zones for which IXFR transfers have been enabled and the network path to the primary server is not trusted. Note that IXFR transfers are not enabled by default.

In the Recursor it applies to setups retrieving one or more RPZ zones from a remote server if the network path to the server is not trusted.

IXFR usually exchanges only the modifications between two versions of a zone, but sometimes needs to fall back to a full transfer of the current version.

When IXFR falls back to a full zone transfer, an attacker in position of man-in-the-middle can cause the transfer to be prematurely interrupted. This interrupted transfer is mistakenly interpreted as a complete transfer, causing an incomplete zone to be processed.

For the Authoritative Server, IXFR transfers are not enabled by default.
The Recursor only uses IXFR for retrieving RPZ zones. An incomplete RPZ transfer results in missing policy entries, potentially causing some DNS names and IP addresses to not be properly intercepted.

We would like to thank Nicolas Dehaine and Dmitry Shabanov from ThreatSTOP for reporting and initial analysis of this issue.

References:
- https://blog.powerdns.com/2022/03/25/security-advisory-2022-01-for-powerdns-authoritative-server-4-4-2-4-5-3-4-6-0-and-powerdns-recursor-4-4-7-4-5-7-4-6-0/
Comment 1 Gianluca Gabrielli 2022-03-25 14:29:34 UTC
Affected packages:
 - openSUSE:Backports:SLE-15-SP4/pdns-recursor
 - openSUSE:Backports:SLE-15-SP3/pdns-recursor
 - openSUSE:Factory/pdns-recursor
 - openSUSE:Backports:SLE-15-SP4/pdns
 - openSUSE:Backports:SLE-15-SP3/pdns
 - openSUSE:Factory/pdns

SLE packages are not affected.
Comment 2 Gianluca Gabrielli 2022-03-25 14:30:00 UTC
Created attachment 857370 [details]
upstream patch 4.6.0
Comment 3 Gianluca Gabrielli 2022-03-25 14:30:27 UTC
Created attachment 857371 [details]
upstream patch pdns 4.5.3
Comment 4 Gianluca Gabrielli 2022-03-25 14:30:54 UTC
Created attachment 857373 [details]
upstream patch pdns 4.4.2
Comment 5 Gianluca Gabrielli 2022-03-25 14:31:19 UTC
Created attachment 857374 [details]
upstream patch pdns-recursor 4.6.0
Comment 6 Gianluca Gabrielli 2022-03-25 14:31:37 UTC
Created attachment 857376 [details]
upstream patch pdns-recursor 4.5.7
Comment 7 Gianluca Gabrielli 2022-03-25 14:31:58 UTC
Created attachment 857378 [details]
upstream patch pdns-recursor 4.4.7
Comment 8 OBSbugzilla Bot 2022-03-25 14:40:04 UTC
This is an autogenerated message for OBS integration:
This bug (1197525) was mentioned in
https://build.opensuse.org/request/show/964869 Factory / pdns
https://build.opensuse.org/request/show/964870 Factory / pdns-recursor
https://build.opensuse.org/request/show/964873 Backports:SLE-15-SP4 / pdns-recursor
https://build.opensuse.org/request/show/964874 Backports:SLE-15-SP4 / pdns
Comment 9 OBSbugzilla Bot 2022-03-29 09:50:31 UTC
This is an autogenerated message for OBS integration:
This bug (1197525) was mentioned in
https://build.opensuse.org/request/show/965583 Backports:SLE-12-SP4 / pdns
https://build.opensuse.org/request/show/965588 Backports:SLE-12-SP4 / pdns-recursor
Comment 10 Adam Majer 2022-03-29 10:58:28 UTC
fixes submitted, reassigning to security team
Comment 11 Gianluca Gabrielli 2022-03-31 10:31:01 UTC
(In reply to OBSbugzilla Bot from comment #9)
> This is an autogenerated message for OBS integration:
> This bug (1197525) was mentioned in
> https://build.opensuse.org/request/show/965583 Backports:SLE-12-SP4 / pdns
> https://build.opensuse.org/request/show/965588 Backports:SLE-12-SP4 /
> pdns-recursor

I see that you submitted to Backports:SLE-12-SP4 instead of openSUSE:Backports:SLE-15-SP3. Could you submit the the latter?
Comment 12 OBSbugzilla Bot 2022-03-31 13:30:05 UTC
This is an autogenerated message for OBS integration:
This bug (1197525) was mentioned in
https://build.opensuse.org/request/show/966217 Backports:SLE-15-SP3 / pdns
https://build.opensuse.org/request/show/966227 Backports:SLE-15-SP3 / pdns-recursor
Comment 13 Adam Majer 2022-03-31 14:51:16 UTC
fix submitted now also to SP3 Backports. Thanks for reminder.
Comment 14 Gianluca Gabrielli 2022-04-01 07:40:03 UTC
thanks, done.
Comment 15 Swamp Workflow Management 2022-04-07 07:20:32 UTC
openSUSE-SU-2022:0104-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1181201,1181202,1197525
CVE References: CVE-2020-14409,CVE-2020-14410,CVE-2022-27227
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    SDL2-2.0.8-11.3.1
openSUSE Backports SLE-15-SP3 (src):    pdns-4.3.1-bp153.2.3.1
Comment 16 Swamp Workflow Management 2022-04-07 07:21:07 UTC
openSUSE-SU-2022:0105-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197525
CVE References: CVE-2022-27227
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    pdns-recursor-4.3.5-bp153.2.3.1