Hi everyone, OpenSSL released a new advisory [1] today about two new vulnerabilities in their implementations. The first issue, CVE-2021-3450, is not relevant to dnsdist which does not set the X509_V_FLAG_X509_STRICT flag. Unfortunately the second issue, CVE-2021-3449, applies to all servers using OpenSSL's TLS code, including dnsdist. It means that a remote, unauthenticated attacker might be able to crash a dnsdist server via crafted network packets.
That issue is only found in recent OpenSSL versions, so only the following supported platforms are impacted: - Red Hat Enterprise Linux 8 and derivatives such as CentOS 8 [2] - Debian Buster [3] - Ubuntu Bionic [4] - Ubuntu Focal [4] Since the vulnerability is not in dnsdist's code but in a third-party library, simply applying the patched package provided by the distribution and restarting the dnsdist process will be enough to fix the issue. We expect the distributions to make these packages available in a few hours. In the meantime, two workarounds exist to mitigate the issue: - disable TLS 1.2 by setting 'minTLSVersion="tls1.3"' in every "addTLSLocal" and "addDOHLocal" directives. Note that this might prevent older clients from accessing the service, especially for DNS over TLS - for DNS over TLS, switch to the GnuTLS provider instead of the OpenSSL one by setting 'provider="GnuTLS"' in every "addTLSLocal" directives. Our GnuTLS implementation has been reported to offer somewhat worse performance than the OpenSSL one, and the format of tickets is a bit different [5], so our advice is to switch back to OpenSSL as soon as it has been upgraded. It is possible to combine these two workarounds by switching DNS over TLS to GnuTLS and requiring TLS 1.3 for DNS over HTTPS, since DoH clients are much more likely to support TLS 1.3. [1]: https://www.openssl.org/news/secadv/20210325.txt [2]: https://access.redhat.com/security/cve/cve-2021-3449 [3]: https://security-tracker.debian.org/tracker/CVE-2021-3449 [4]: https://ubuntu.com/security/cve-2021-3449 [5]: https://dnsdist.org/guides/tls-sessions-management.html#content-of-the-stek-file Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
pgp5R60tCPpjj.pgp
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
