[dnsdist] OpenSSL's CVE-2021-3449 and dnsdist

Remi Gacogne remi.gacogne at powerdns.com
Thu Mar 25 15:12:01 UTC 2021

Hi everyone,

OpenSSL released a new advisory [1] today about two new vulnerabilities
in their implementations. The first issue, CVE-2021-3450, is not
relevant to dnsdist which does not set the X509_V_FLAG_X509_STRICT
flag. Unfortunately the second issue, CVE-2021-3449, applies to all
servers using OpenSSL's TLS code, including dnsdist. It means that a
remote, unauthenticated attacker might be able to crash a dnsdist
server via crafted network packets.

That issue is only found in recent OpenSSL versions, so only the
following supported platforms are impacted:
- Red Hat Enterprise Linux 8 and derivatives such as CentOS 8 [2]
- Debian Buster [3]
- Ubuntu Bionic [4]
- Ubuntu Focal [4]

Since the vulnerability is not in dnsdist's code but in a third-party
library, simply applying the patched package provided by the
distribution and restarting the dnsdist process will be enough to fix
the issue. We expect the distributions to make these packages available
in a few hours.

In the meantime, two workarounds exist to mitigate the issue:
- disable TLS 1.2 by setting 'minTLSVersion="tls1.3"' in every
"addTLSLocal" and "addDOHLocal" directives. Note that this might
prevent older clients from accessing the service, especially for DNS
over TLS
- for DNS over TLS, switch to the GnuTLS provider instead of the
OpenSSL one by setting 'provider="GnuTLS"' in every "addTLSLocal"
directives. Our GnuTLS implementation has been reported to offer
somewhat worse performance than the OpenSSL one, and the format of
tickets is a bit different [5], so our advice is to switch back to
OpenSSL as soon as it has been upgraded.

It is possible to combine these two workarounds by switching DNS over
TLS to GnuTLS and requiring TLS 1.3 for DNS over HTTPS, since DoH
clients are much more likely to support TLS 1.3.

[1]: https://www.openssl.org/news/secadv/20210325.txt
[2]: https://access.redhat.com/security/cve/cve-2021-3449
[3]: https://security-tracker.debian.org/tracker/CVE-2021-3449
[4]: https://ubuntu.com/security/cve-2021-3449

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210325/d19330a0/attachment.sig>

More information about the dnsdist mailing list