Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] CVE-2019-19794 #3547

Closed
yongtang opened this issue Dec 16, 2019 · 9 comments
Closed

[Security] CVE-2019-19794 #3547

yongtang opened this issue Dec 16, 2019 · 9 comments

Comments

@yongtang
Copy link
Member

This is a public announcement of a security vulnerability discovered in earlier versions of CoreDNS before v1.6.6:

https://nvd.nist.gov/vuln/detail/CVE-2019-19794

As was mentioned in CVE-2019-19794, one of the upstream library miekg/dns used Golang's math/rand. This causes predictable TXID and may allow cache poisoning (See miekg/dns#1043 for details).

CoreDNS was impacted by this upstream vulnerability.

The latest release of CoreDNS v1.6.6 fixes this issue. We encourage all CoreDNS users to update to v1.6.6+ as soon as possible.

The issue was discovered by @FiloSottile, we very much appreciate his contributions! 👍

This issue will keep open for a couple of weeks or so, so that it is visible to public.
@stp-ip stp-ip pinned this issue Dec 16, 2019
@miekg
Copy link
Member

miekg commented Dec 19, 2019

should we make some more noise on this? Release is ready.

@yongtang
Copy link
Member Author

I think we can post a blog on coredns.io?

@miekg
Copy link
Member

miekg commented Dec 20, 2019 via email

@rtheis
Copy link

rtheis commented Dec 20, 2019

Does CVE-2019-19794 impact Kubernetes usage of CoreDNS assuming configurations such as https://github.com/kubernetes/kubernetes/blob/v1.17.0/cluster/addons/dns/coredns/coredns.yaml.base or https://raw.githubusercontent.com/coredns/deployment/5a861f8a6fa192ac9dbda1856bff95b9d6721389/kubernetes/coredns.yaml.sed?

@chrisohaver
Copy link
Member

chrisohaver commented Dec 20, 2019
edited

IIUC, it could be exploited by someone with access to read and spoof packets into the Pod network (the network traffic between pods and coredns).

@stp-ip
Copy link
Member

stp-ip commented Dec 20, 2019

This is planned to be fixed in Kubernetes in the next patch release.
Afaiks: Hard to exploit and the result would be a poisoned cache. It needs cluster access and partial control of the network to be an attack vector. So severity should be low.

You can update to the latest CoreDNS (v1.6.6) manually, if you control the Cluster or wait for the Kubernetes patch release to hit.

@miekg
Copy link
Member

miekg commented Dec 29, 2019

release it out; closing

@miekg miekg closed this as completed Dec 29, 2019
@miekg miekg unpinned this issue Dec 29, 2019
@rtheis
Copy link

rtheis commented Jan 2, 2020

@stp-ip Is it possible then to mitigate this security vulnerability by disabling the cache via removing the cache plugin from the CoreDNS configuration?

@stp-ip
Copy link
Member

stp-ip commented Jan 3, 2020

The cache poisoning isn't within the CoreDNS cache in the usual Kubernetes setup afaik.
In general the issue is that response forgeries can be created, that can lead to a poisoned cache within applications and/or caching resolvers.

To answer the specific question. Disabling the cache plugin shouldn't prevent this issue from happening afaik.

If you control the deployment upgrade to 1.6.6 manually or wait for the next K8s patch release.

This was referenced Jan 10, 2020
Closed
Merged
@shamsher31 shamsher31 mentioned this issue Aug 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@miekg @stp-ip @yongtang @chrisohaver @rtheis