-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
4.13.z
-
None
-
No
-
Rejected
-
False
-
Hello Team
Dell team feedback there is a cve issue in abi install deploy ocp cluster, detail information below:
Nessus scan the rhcos which is from 4.13.6 and got the result.
CVE-2006-0987 High 20.13.46.102 udp 53 DNS Server Spoofed Request Amplification DDoS 7.5
Synopsis
The remote DNS server could be used in a distributed denial of service attack.
Description
The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer that is bigger than the original request. By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against a third-party host using the remote DNS server.
See Also
https://isc.sans.edu/diary/DNS+queries+for+/5713
Solution
Restrict access to your DNS server from public network or reconfigure it to reject such queries.
How to reproduced the issue
mystic@brucehu:~$ oc get nodes
NAME STATUS ROLES AGE VERSION
c1-esx02.racki01.local Ready control-plane,master,worker 10d v1.26.6+73ac561
c1-esx03.racki01.local Ready control-plane,master,worker 10d v1.26.6+73ac561
c1-esx04.racki01.local Ready control-plane,master,worker 10d v1.26.6+73ac561
c1-esx05.racki01.local Ready worker 5d19h v1.26.6+73ac561
mystic@brucehu:~$ oc debug nodes/c1-esx02.racki01.local
Temporary namespace openshift-debug-gx2qj is created for debugging node...
Starting pod/c1-esx02racki01local-debug ...
To use host binaries, run `chroot /host`
Pod IP: 20.14.51.102
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-5.1# rpm -qa | grep bind
bind-license-9.16.23-11.el9_2.1.noarch
bind-libs-9.16.23-11.el9_2.1.x86_64
bind-utils-9.16.23-11.el9_2.1.x86_64
rpcbind-1.2.6-5.el9.x86_64
sh-5.1# ss -anp | grep 53 | grep LIST
u_str LISTEN 0 1 /run/irqbalance/irqbalance2836.sock 47153 * 0 users
("irqbalance",pid=2836,fd=5))
u_seq LISTEN 0 10 /proc/self/fd/12/attach 17298553 * 0 users("conmon",pid=2421190,fd=13))
u_seq LISTEN 0 10 /proc/self/fd/12/attach 268617 * 0 users("conmon",pid=25365,fd=13))
u_str LISTEN 0 4096 /var/lib/kubelet/device-plugins/kubelet.sock 52886 * 0 users("kubelet",pid=23536,fd=32))
u_seq LISTEN 0 10 /proc/self/fd/12/attach 37536 * 0 users("conmon",pid=24428,fd=13))
u_str LISTEN 0 4096 /run/dbus/system_bus_socket 109630 * 0 users("dbus-broker",pid=2976,fd=7),("dbus-broker-lau",pid=2928,fd=3),("systemd",pid=1,fd=53))
u_seq LISTEN 0 10 /proc/self/fd/12/attach 16749317 * 0 users("conmon",pid=2353791,fd=13))
u_str LISTEN 0 4096 /var/lib/kubelet/pod-resources/2763073215 52882 * 0 users("kubelet",pid=23536,fd=18))
tcp LISTEN 0 4096 20.14.51.102:9100 0.0.0.0:* users("kube-rbac-proxy",pid=29533,fd=11))
tcp LISTEN 0 4096 20.14.51.102:10250 0.0.0.0:* users("kubelet",pid=23536,fd=29))
tcp LISTEN 0 4096 127.0.0.1:10248 0.0.0.0:* users("kubelet",pid=23536,fd=16))
tcp LISTEN 0 4096 :9537 *: users("crio",pid=23205,fd=10))
*tcp LISTEN 0 4096 *:53 *: users("coredns",pid=24479,fd=11))**
sh-5.1# ps -aux | grep 24479
root 24479 0.1 0.0 3888292 74512 ? Ssl Aug17 7:02 /usr/bin/coredns --conf /etc/coredns/Corefile
root 4183486 0.0 0.0 3332 1756 ? S+ 05:40 0:00 grep 24479
sh-5.1# cat /etc/coredns/Corefile
. {
errors
bufsize 512
health :18080
forward . 20.100.10.7
cache 30
reload
template IN A c1-raven.racki01.local {
match .*[.]apps.c1-raven.racki01.local
answer "{{ .Name }} 60 in {{ .Type }} 20.14.51.223"
fallthrough
}
template IN AAAA c1-raven.racki01.local
template IN A c1-raven.racki01.local {
match ^api.c1-raven.racki01.local
answer "{{ .Name }} 60 in {{ .Type }} 20.14.51.222"
fallthrough
}
template IN AAAA c1-raven.racki01.local
template IN A c1-raven.racki01.local {
match ^api-int.c1-raven.racki01.local
answer "{{ .Name }} 60 in {{ .Type }} 20.14.51.222"
fallthrough
}
template IN AAAA c1-raven.racki01.local
hosts
{ 20.14.51.102 c1-esx02 c1-esx02.c1-raven.racki01.local 20.14.51.103 c1-esx03 c1-esx03.c1-raven.racki01.local 20.14.51.104 c1-esx04 c1-esx04.c1-raven.racki01.local 20.14.51.105 c1-esx05 c1-esx05.c1-raven.racki01.local fallthrough }}
looks we need to in coredns add an acl no allow{} sections in to the Corefile
https://coredns.io/plugins/acl/
sh-5.1# cat /etc/coredns/Corefile
. {
errors
bufsize 512
health :18080
forward . 20.100.10.7
cache 30
reload
template IN A c1-raven.racki01.local {
match .*[.]apps.c1-raven.racki01.local
answer "{{ .Name }} 60 in {{ .Type }} 20.14.51.223"
fallthrough
}
template IN AAAA c1-raven.racki01.local
template IN A c1-raven.racki01.local {
match ^api.c1-raven.racki01.local
answer "{{ .Name }} 60 in {{ .Type }} 20.14.51.222"
fallthrough
}
template IN AAAA c1-raven.racki01.local
template IN A c1-raven.racki01.local {
match ^api-int.c1-raven.racki01.local
answer "{{ .Name }} 60 in {{ .Type }} 20.14.51.222"
fallthrough
}
template IN AAAA c1-raven.racki01.local
hosts
{ 20.14.51.102 c1-esx02 c1-esx02.c1-raven.racki01.local 20.14.51.103 c1-esx03 c1-esx03.c1-raven.racki01.local 20.14.51.104 c1-esx04 c1-esx04.c1-raven.racki01.local 20.14.51.105 c1-esx05 c1-esx05.c1-raven.racki01.local fallthrough }}
the security report please reference
https://access.redhat.com/support/cases/#/case/03591218/discussion?attachmentId=a096R0000389ELxQAM
