Vulnerabilities > CVE-2014-8601 - Resource Management Errors vulnerability in multiple products

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-104-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(82088);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-8601");
  script_bugtraq_id(71545);

  script_name(english:"Debian DLA-104-1 : pdns-recursor security update");
  script_summary(english:"Checks dpkg output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Florian Maury from ANSSI discovered a flaw in pdns-recursor, a
recursive DNS server : a remote attacker controlling
maliciously-constructed zones or a rogue server could affect the
performance of pdns-recursor, thus leading to resource exhaustion and
a potential denial of service.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2014/12/msg00007.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze-lts/pdns-recursor"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected pdns-recursor package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pdns-recursor");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"pdns-recursor", reference:"3.2-4+deb6u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2014-798.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(80211);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2014-8601");

  script_name(english:"openSUSE Security Update : pdns-recursor (openSUSE-SU-2014:1685-1)");
  script_summary(english:"Check for the openSUSE-2014-798 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This pdns-recursor version update fixes the following security issue
and non secuirty issues.

Update to upstream release 3.6.2.

  - boo#906583: Degraded service through queries to queries
    to specific domains (CVE-2014-8601)

  - Fixed broken _localstatedir

Update to upstream release 3.6.1.

  - gab14b4f: expedite servfail generation for ezdns-like
    failures (fully abort query resolving if we hit more
    than 50 outqueries)

  - g42025be: PowerDNS now polls the security status of a
    release at startup and periodically. More detail on this
    feature, and how to turn it off, can be found in Section
    2, 'Security polling'.

  - g5027429: We did not transmit the right 'local' socket
    address to Lua for TCP/IP queries in the recursor. In
    addition, we would attempt to lookup a filedescriptor
    that wasn't there in an unlocked map which could
    conceivably lead to crashes. Closes t1828, thanks
    Winfried for reporting

  - g752756c: Sync embedded yahttp copy. API: Replace HTTP
    Basic auth with static key in custom header

  - g6fdd40d: add missing #include <pthread.h> to
    rec-channel.hh (this fixes building on OS X).

  - sync permissions/ownership of home and config dir with
    the pdns package

  - added systemd support for 12.3 and newer

Update to upstrean release 3.5.3.

  - This is a bugfix and performance update to 3.5.2. It
    brings serious performance improvements for dual stack
    users. For all the details see
    http://doc.powerdns.com/html/changelog.html#changelog-re
    cursor-3.5.3

  - Remove patch (pdns-recursor-3.3_config.patch)

  - Add patch (pdns-recursor-3.5.3_config.patch)

Update to upstrean release 3.5.2.

  - Responses without the QR bit set now get matched up to
    an outstanding query, so that resolution can be aborted
    early instead of waiting for a timeout.

  - The depth limiter changes in 3.5.1 broke some legal
    domains with lots of indirection.

  - Slightly improved logging to aid debugging.

Update to upstream version 3.5.1.

  - This is a stability and bugfix update to 3.5. It
    contains important fixes that improve operation for
    certain domains. This is a stability, security and
    bugfix update to 3.3/3.3.1. It contains important fixes
    for slightly broken domain names, which your users
    expect to work anyhow. For all details see
    http://doc.powerdns.com/html/changelog.html#changelog-re
    cursor-3.5.1

  - adapted patches: pdns-rec-lua52.patch
    pdns-recursor-3.5.1_config.patch

  - fixed conditional for different lua versions

  - started some basic support to build packages for non
    suse distros"
  );
  # http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.1
  script_set_attribute(
    attribute:"see_also",
    value:"https://doc.powerdns.com/md/changelog/#changelog-recursor-3.5.1"
  );
  # http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.3
  script_set_attribute(
    attribute:"see_also",
    value:"https://doc.powerdns.com/md/changelog/#changelog-recursor-3.5.3"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=906583"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2014-12/msg00084.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected pdns-recursor packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pdns-recursor");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pdns-recursor-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pdns-recursor-debugsource");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE12.3", reference:"pdns-recursor-3.6.2-6.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"pdns-recursor-debuginfo-3.6.2-6.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"pdns-recursor-debugsource-3.6.2-6.4.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"pdns-recursor-3.6.2-8.4.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"pdns-recursor-debuginfo-3.6.2-8.4.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"pdns-recursor-debugsource-3.6.2-8.4.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pdns-recursor / pdns-recursor-debuginfo / pdns-recursor-debugsource");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201412-33.
#
# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(80210);
  script_version("$Revision: 1.4 $");
  script_cvs_date("$Date: 2017/10/02 21:12:27 $");

  script_cve_id("CVE-2009-4009", "CVE-2009-4010", "CVE-2012-1193", "CVE-2014-8601");
  script_bugtraq_id(37650, 37653, 59348, 71545);
  script_xref(name:"GLSA", value:"201412-33");

  script_name(english:"GLSA-201412-33 : PowerDNS Recursor: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201412-33
(PowerDNS Recursor: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PowerDNS Recursor.
      Please review the CVE identifiers and PowerDNS blog post referenced below
      for details.
  
Impact :

    A remote attacker may be able to send specially crafted packets,
      possibly resulting in arbitrary code execution or a Denial of Service
      condition. Furthermore, a remote attacker may be able to spoof DNS data.
  
Workaround :

    There is no known workaround at this time."
  );
  # https://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?e0bd75f6"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201412-33"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All PowerDNS Recursor users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=net-dns/pdns-recursor-3.6.1-r1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(119);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pdns-recursor");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"net-dns/pdns-recursor", unaffected:make_list("ge 3.6.1-r1"), vulnerable:make_list("lt 3.6.1-r1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PowerDNS Recursor");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3096. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(79883);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-8601");
  script_bugtraq_id(71545);
  script_xref(name:"DSA", value:"3096");

  script_name(english:"Debian DSA-3096-1 : pdns-recursor - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Florian Maury from ANSSI discovered a flaw in pdns-recursor, a
recursive DNS server : a remote attacker controlling
maliciously-constructed zones or a rogue server could affect the
performance of pdns-recursor, thus leading to resource exhaustion and
a potential denial-of-service."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/pdns-recursor"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2014/dsa-3096"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the pdns-recursor packages.

For the stable distribution (wheezy), this problem has been fixed in
version 3.3-3+deb7u1.

For the upcoming stable distribution (jessie) and unstable
distribution (sid), this problem has been fixed in version 3.6.2-1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pdns-recursor");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/15");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"pdns-recursor", reference:"3.3-3+deb7u1")) flag++;
if (deb_check(release:"7.0", prefix:"pdns-recursor-dbg", reference:"3.3-3+deb7u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(87951);
 script_version("1.5");
 script_cvs_date("Date: 2018/11/15 20:50:21");

 script_cve_id("CVE-2014-8601");
 script_bugtraq_id(71545);
 script_xref(name:"CERT", value:"264212");

 script_name(english:"PowerDNS Recursor 3.x < 3.6.2 Recursive Referral Handling DoS");
 script_summary(english:"Checks the PowerDNS Recursor version.");

 script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by a denial of service
vulnerability.");
 script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the version of the
PowerDNS Recursor listening on the remote host is version 3.x prior to
3.6.2. It is, therefore, affected by a denial of service vulnerability
due to the lack of limiting delegation chaining. A remote attacker can
exploit this vulnerability, via a large or infinite number of
referrals, to cause resource exhaustion, resulting in a denial of
service condition.

Note that Nessus has not attempted to exploit this issue but has
instead relied only on the application's self-reported version number.
Also, Nessus has not checked for the presence of the patch.");
 script_set_attribute(attribute:"see_also", value:"https://doc.powerdns.com/md/security/powerdns-advisory-2014-02/");
 script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/264212/");
 script_set_attribute(attribute:"solution", value:
"Upgrade to PowerDNS Recursor 3.6.2 or later. Alternatively, apply the
patch referenced in the vendor advisory.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date",value:"2014/12/08");
 script_set_attribute(attribute:"patch_publication_date",value:"2014/12/08");
 script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/15");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:powerdns");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:recursor");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

 script_family(english:"DNS");
 script_dependencies("pdns_version.nasl");
 script_require_keys("pdns/version", "pdns/version_full", "pdns/version_source", "pdns/type", "Settings/ParanoidReport");
 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

app_name = "PowerDNS Recursor";
version_source = get_kb_item_or_exit("pdns/version_source");
version_full = get_kb_item_or_exit("pdns/version_full");
version = get_kb_item_or_exit("pdns/version");

fix = '3.6.2';
port = 53;

# Only the Recursor is affected
type = get_kb_item_or_exit("pdns/type");
if (type != 'recursor') audit(AUDIT_NOT_LISTEN, app_name, port, "UDP");

if (version !~ "^3\." || (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0))
  audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version_full, "UDP");

if (report_verbosity > 0)
{
  report =
    '\n  Version source    : ' + version_source +
    '\n  Installed version : ' + version_full +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_warning(port:port, proto:"udp", extra:report);
}
else security_warning(port:port, proto:"udp");