CVE-2017-11104 - Vulnerability Details - OpenCVE

Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Knot-dns	Knot Dns

Configuration 1 [-]

OR	cpe:2.3:a:knot-dns:knot_dns::::::::
	cpe:2.3:a:knot-dns:knot_dns:2.5.0:::::::*
	cpe:2.3:a:knot-dns:knot_dns:2.5.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00076.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00078.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00089.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00049.html
http://www.debian.org/security/2017/dsa-3910
http://www.securityfocus.com/bid/99598
http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf
https://bugs.debian.org/865678
https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-07-08T10:00:00

Updated: 2024-08-05T17:57:57.864Z

Reserved: 2017-07-08T00:00:00

Link: CVE-2017-11104

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-07-08T10:29:00.170

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-11104

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-07-08T00:00:00", "descriptions": [{"lang": "en", "value": "Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-09-18T18:06:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-3910", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3910"}, {"name": "99598", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99598"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/865678"}, {"tags": ["x_refsource_MISC"], "url": "http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html"}, {"name": "openSUSE-SU-2020:1086", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00078.html"}, {"name": "openSUSE-SU-2020:1085", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00076.html"}, {"name": "openSUSE-SU-2020:1112", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00089.html"}, {"name": "openSUSE-SU-2020:1232", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00049.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11104", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3910", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3910"}, {"name": "99598", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99598"}, {"name": "https://bugs.debian.org/865678", "refsource": "MISC", "url": "https://bugs.debian.org/865678"}, {"name": "http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf", "refsource": "MISC", "url": "http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf"}, {"name": "https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html", "refsource": "MISC", "url": "https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html"}, {"name": "openSUSE-SU-2020:1086", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00078.html"}, {"name": "openSUSE-SU-2020:1085", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00076.html"}, {"name": "openSUSE-SU-2020:1112", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00089.html"}, {"name": "openSUSE-SU-2020:1232", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00049.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:57:57.864Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3910", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3910"}, {"name": "99598", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99598"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/865678"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html"}, {"name": "openSUSE-SU-2020:1086", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00078.html"}, {"name": "openSUSE-SU-2020:1085", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00076.html"}, {"name": "openSUSE-SU-2020:1112", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00089.html"}, {"name": "openSUSE-SU-2020:1232", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00049.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11104", "datePublished": "2017-07-08T10:00:00", "dateReserved": "2017-07-08T00:00:00", "dateUpdated": "2024-08-05T17:57:57.864Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:knot-dns:knot_dns:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0CEBFD-11BC-40ED-935F-9E621F99A1CD", "versionEndIncluding": "2.4.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:knot-dns:knot_dns:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "56BBCEF1-0DF1-4A0A-8B43-EEBA203A7314", "vulnerable": true}, {"criteria": "cpe:2.3:a:knot-dns:knot_dns:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "6362CB21-8799-4059-A816-B63064389D0B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check."}, {"lang": "es", "value": "Knot DNS anterior a versi\u00f3n 2.4.5 y versi\u00f3n 2.5.x anterior a 2.5.2, contiene un fallo dentro de la implementaci\u00f3n del protocolo TSIG que permitir\u00eda a un atacante con un nombre de clave v\u00e1lido y un algoritmo omitir la autenticaci\u00f3n TSIG si no se establecen restricciones ACL adicionales, debido a una comprobaci\u00f3n inapropiada del per\u00edodo de validez TSIG."}], "id": "CVE-2017-11104", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-08T10:29:00.170", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00076.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00078.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00089.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00049.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2017/dsa-3910"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/99598"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "url": "http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.debian.org/865678"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Mailing List", "Patch", "Third Party Advisory"], "url": "https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00076.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00078.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00089.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00049.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2017/dsa-3910"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/99598"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "url": "http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.debian.org/865678"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Mailing List", "Patch", "Third Party Advisory"], "url": "https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}