PowerDNS Recursor Critical Security Issue - PDNS-2010-01

> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.

For issue 1, CVE-2009-4009, for issue 2, CVE-2009-4010.

To further clarify, the information & update will be made public on
Wednesday January 6th, at 16:00 CET (10AM EST).

I've not yet heard from FreeBSD, Ubuntu (Bug #502987), Fedora and Gentoo.
Can you please contact me ASAP?

> Hi everbody,
>
> This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made
> public, which fixes two important security issues, one of which is remotely
> exploitable.
>
> Given the critical nature of these vulnerabilities, we are trying to keep
> details confidential for a few more days.
>
> Summary
> -------
> The short version: please contact me off-list if you distribute the PowerDNS
> Recursor (any version), and if you want to gain early access to version
> 3.1.7.2 and associated release notes.
>
> Details
> -------
> The two security issues have been discovered by two parties which we cannot
> yet publicly mention or thank, but they deserve full credit and gratitude
> for their discoveries.
>
> Two CVE numbers have been requested, they will be communicated ASAP.
>
> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.
>
> The first issue is at least a DoS, but in all likelihood can be expanded
> into a full compromise ('rooted').
>
> The release that will be made public is already available for distributors.
> Other good news is that it is already serving over a million ISP customers,
> with no apparent problems.
>
> Contact me off-list for quick access to the new PowerDNS Recursor code,
> patch & release notes.

This is public now:

http://mailman.powerdns.com/pipermail/pdns-users/2010-January/006410.html

For Lucid we should wait for Debian, then sync.

This bug affects Karmic, Jaunty, Intrepid and Hardy as well (the all have pdns-recursor <= 3.1.7), for those I'm working on a patch.

See attached debdiff against latest Karmic package (3.1.7-5).
- package was built in a clean pbuilder environment, it built OK
- installing/updating didn't seem to break anything
- I did some basic testing, seems to work ok (can't test it agains the exploits though)

To repeat a bit of the IRC discussion: patch looks generally good, but it would be better if it did not include the code clean-ups (dropping unused functions, removing #if 0 code, etc). This will make reviewing, backporting, and possible regression handling easier.

I've cleaned up the debdiff, should be smaller and more clear now. (Tested this one and it builds and seems to work ok.)

Please take a look. I'll go on to Jaunty and Intrepid if everything's fine with this one.

It looks good - if all you did was remove the bits about #if 0 and
getDirect, then it can't be wrong <TM>.

On Wed, Jan 06, 2010 at 10:33:02PM -0000, Imre Gergely wrote:
> I've cleaned up the debdiff, should be smaller and more clear now.
> (Tested this one and it builds and seems to work ok.)
>
> Please take a look. I'll go on to Jaunty and Intrepid if everything's
> fine with this one.
>
> ** Attachment removed: "pdns-recursor_3.1.7-5ubuntu0.1.debdiff"
> http://launchpadlibrarian.net/37515116/pdns-recursor_3.1.7-5ubuntu0.1.debdiff
>
> ** Attachment added: "pdns-recursor_3.1.7-5ubuntu0.1.debdiff"
> http://launchpadlibrarian.net/37518450/pdns-recursor_3.1.7-5ubuntu0.1.debdiff
>
> --
> PowerDNS Recursor Critical Security Issue - PDNS-2010-01
> https://bugs.launchpad.net/bugs/502987
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Thanks, this looks good to me. I've uploaded it to the security queue now.

Interesting enough, this probably makes Ubuntu the first distribution to
ship an update, even though pdns-recursor is in Universe ;-)

Many thanks!

On Wed, Jan 06, 2010 at 10:51:26PM -0000, Kees Cook wrote:
> Thanks, this looks good to me. I've uploaded it to the security queue
> now.
>
> ** Changed in: pdns-recursor (Ubuntu Karmic)
> Status: In Progress => Fix Committed
>
> ** Changed in: pdns-recursor (Ubuntu Hardy)
> Status: Triaged => New
>
> ** Changed in: pdns-recursor (Ubuntu Intrepid)
> Status: Triaged => In Progress
>
> ** Changed in: pdns-recursor (Ubuntu Jaunty)
> Status: Triaged => In Progress
>
> ** Changed in: pdns-recursor (Ubuntu Lucid)
> Status: Triaged => New
>
> ** Changed in: pdns-recursor (Ubuntu Jaunty)
> Assignee: (unassigned) => Imre Gergely (cemc)
>
> ** Changed in: pdns-recursor (Ubuntu Intrepid)
> Assignee: (unassigned) => Imre Gergely (cemc)
>
> --
> PowerDNS Recursor Critical Security Issue - PDNS-2010-01
> https://bugs.launchpad.net/bugs/502987
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Attached debdiff for Jaunty, same patch works because Jaunty also has version 3.1.7. It's building and working OK.

Also fixed the initscript, which prevented the current package to be upgraded/removed.
See: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/403957

Re-added the debdiff for Jaunty (which corrected changelog).

Attached debdiff for Intrepid, built, tested and working. Patch was the same as above because Intrepid too has version 3.1.7.

Thanks! I've uploaded them to the security queue now.

This bug was fixed in the package pdns-recursor - 3.1.7-5ubuntu0.1

---------------
pdns-recursor (3.1.7-5ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: first issue is remotely exploitable, likely
    leads to full compromise; second issue allows an attacker to
    spoof domain data for domain names he does not own (LP: #502987)
    - debian/patches/CVE-2009-4009-4010.dpatch: fixes the two
      problems
    - CVE-2009-4009, CVE-2009-4010
 -- Imre Gergely <email address hidden> Wed, 06 Jan 2010 22:19:13 +0200

This bug was fixed in the package pdns-recursor - 3.1.7-2ubuntu0.1

---------------
pdns-recursor (3.1.7-2ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: first issue is remotely exploitable, likely
    leads to full compromise; second issue allows an attacker to
    spoof domain data for domain names he does not own (LP: #502987)
    - debian/patches/CVE-2009-4009-4010.dpatch: fixes the two
      problems
    - CVE-2009-4009, CVE-2009-4010
  * Fixed init.d script typo which prevented the stop() function from
    working (LP: #403957)
    - debian/init.d/pdns-recursor
 -- Imre Gergely <email address hidden> Thu, 07 Jan 2010 01:36:22 +0200

This bug was fixed in the package pdns-recursor - 3.1.7-1ubuntu0.1

---------------
pdns-recursor (3.1.7-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: first issue is remotely exploitable, likely
    leads to full compromise; second issue allows an attacker to
    spoof domain data for domain names he does not own (LP: #502987)
    - debian/patches/CVE-2009-4009-4010.dpatch: fixes the two
      problems
    - CVE-2009-4009, CVE-2009-4010
 -- Imre Gergely <email address hidden> Thu, 07 Jan 2010 01:35:01 +0200

I see this has been nominated for dapper. Any plans for an update or backport?

Removed assignee that was added by r12056.

The nominations may not be appropriate. Please investigate and fix as appropriate.

Lucid now has 3.1.7.2-1.

Correct, we're still waiting for a patch for the version in Hardy. Because of the greater version difference, an easy patching is not possible (at least not something I could do, as I'm not that familiar with the code).
I will contact upstream again, and if it can't be arranged in a short while, maybe we could try a backport to Hardy.

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

As I don't thing we will get a patch for Hardy for this bug, would it be possible to backport 3.3-2 from Precise? At least that way anyone who really wants a new and fixed version and is still using Hardy, they could install it from -backports.

I have 3.3-1 'backported' in my PPA, and if I'm not mistaken it's an easy enough thing to do, I'm running it on my Hardy server for two months now.

Imre, we can't backport the full release to hardy from precise in a security update, but you can use hardy-backports for this (conceivably). I suggest you contact the backporters team.

I know, I was thinking about -backports , too. Opened a bugreport for it (bug #888627). Thanks.