Bug 96976 (CVE-2005-2302)

Summary: VUL-0: CVE-2005-2302: pdns LDAP backend bugs
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: nadvornik, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2302: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: pdns-2.9.17-ldap.patch
pdns-2.9.17-recursor.patch

Description Ludwig Nussel 2005-07-18 07:46:29 UTC 
We received the following report via bugtraq.
The issue is public.

It's all Greek to me. Do we even have the ldap backend enabled?

Date: 16 Jul 2005 11:54:37 -0000
From: bert.hubert@netherlabs.nl
To: bugtraq@securityfocus.com
Subject: PowerDNS 2.9.18 fixes two security issues affecting users of LDAP
 backend or limited recursion
X-Mailer: MIME-tools 5.411 (Entity 5.404)
X-Spam-Level: **

PowerDNS 2.9.18 fixes two bugs with security implications, which only apply to installations running on the LDAP backend, or installations providing recursion to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised.

Version 2.9.18 release notes are on: http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-18
Version 2.9.18 is available on:
http://www.powerdns.com/downloads/
Wiki, source, bugtracker: http://wiki.powerdns.com/
Security page: http://doc.powerdns.com/security-policy.html

Details:
    * The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)

    * Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and not a denial of a domain's existence. 

Thanks for your attention.

Bert Hubert
http://www.netherlabs.nl
http://www.powerdns.com
http://ds9a.nl/
Comment 1 Vladimir Nadvornik 2005-07-18 08:30:40 UTC 
Yes, we have ldap backend enabled.
I am going to extract the patches.
Comment 2 Vladimir Nadvornik 2005-07-18 11:31:10 UTC 
Created attachment 42387 [details]
pdns-2.9.17-ldap.patch

fix for ldap quoting
Comment 3 Vladimir Nadvornik 2005-07-18 11:33:58 UTC 
Created attachment 42388 [details]
pdns-2.9.17-recursor.patch

fix for recursor
Comment 4 Vladimir Nadvornik 2005-07-18 14:43:13 UTC 
Fixed package is submitted to 9.3. Can you please submit patchinfo?
Comment 5 Ludwig Nussel 2005-07-18 15:17:57 UTC 
SM-Tracker-1810
Comment 6 Ludwig Nussel 2005-07-19 10:26:06 UTC 
====================================================== 
Candidate: CAN-2005-2301 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2301 
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20050719 
Category: SF 
Reference: BUGTRAQ:20050716 PowerDNS 2.9.18 fixes two security issues 
affecting users of LDAP 
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112155941310297&w=2 
Reference: CONFIRM:http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-18 
 
PowerDNS before 2.9.18, when running with an LDAP backend, does not 
properly escape LDAP queries, which allows remote attackers to cause a 
denial of service (failure to answer ldap questions) and possibly 
conduct an LDAP injection attack. 
 
 
 
====================================================== 
Candidate: CAN-2005-2302 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2302 
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20050719 
Category: SF 
Reference: BUGTRAQ:20050716 PowerDNS 2.9.18 fixes two security issues 
affecting users of LDAP 
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112155941310297&w=2 
Reference: CONFIRM:http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-18 
 
PowerDNS before 2.9.18, does not properly handle questions from 
clients that are denied recursion, which could cause a "blank out" of 
answers to clients that are allowed to use recursion.
Comment 7 Marcus Meissner 2005-07-20 07:52:55 UTC 
BTW, do we really need powerdns in the distro? we have bind?
Comment 8 Vladimir Nadvornik 2005-07-20 08:12:21 UTC 
The powerdns package was created because our internal IT department needs it.
It could be made internal, but I don't see any reason for it.
Comment 9 Marcus Meissner 2005-07-20 08:15:17 UTC 
if we use it ourselves it is fine by me. :)
Comment 10 Ludwig Nussel 2005-08-02 15:30:15 UTC 
updates released
Comment 11 Thomas Biege 2009-10-13 21:33:52 UTC 
CVE-2005-2302: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)