[Pdns-announce] PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
Otto Moerbeek
otto.moerbeek at open-xchange.com
Wed Mar 29 11:20:00 UTC 2023
Hello,
Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to
a low severity security issue found.
Please find the full text of the advisory below.
The [1]4.6, [2]4.7 and [3]4.8 changelogs are available.
The [4]4.6.6 ([5]signature), [6]4.7.5 ([7]signature) and
[8]4.8.4 ([9]signature) tarballs are available from our download
[10]server. Patches are available at [11]patches. Packages for various
distributions are available from our [12]repository.
Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
Consult the [13]EOL policy for more details.
__________________________________________________________________
PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to
authoritative servers being marked unavailable
* CVE: CVE-2023-26437
* Date: 29th of March 2023
* Affects: PowerDNS Recursor up to and including 4.6.5, 4.7.4 and
4.8.3
* Not affected: PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4
* Severity: Low
* Impact: Denial of service
* Exploit: Successful spoofing may lead to authoritative servers
being marked unavailable
* Risk of system compromise: None
* Solution: Upgrade to patched version
When the recursor detects and deters a spoofing attempt or receives certain malformed DNS
packets, it throttles the server that was the target of the impersonation attempt so that other
authoritative servers for the same zone will be more likely to be used in the future, in case the
attacker controls the path to one server only. Unfortunately this mechanism can be used by an
attacker with the ability to send queries to the recursor, guess the correct source port of the
corresponding outgoing query and inject packets with a spoofed IP address to force the recursor
to mark specific authoritative servers as not available, leading a denial of service for the
zones served by those servers.
CVSS 3.0 score: 3.7 (Low)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/
S:C/C:N/I:N/A:L
Thanks to Xiang Li from Network and Information Security Laboratory,
Tsinghua University for reporting this issue.
References
1. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.6.6
2. https://docs.powerdns.com/recursor/changelog/4.7.html#change-4.7.5
3. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.8.4
4. https://downloads.powerdns.com/releases/pdns-recursor-4.6.6.tar.bz2
5. https://downloads.powerdns.com/releases/pdns-recursor-4.6.6.tar.bz2.sig
6. https://downloads.powerdns.com/releases/pdns-recursor-4.7.5.tar.bz2
7. https://downloads.powerdns.com/releases/pdns-recursor-4.7.5.tar.bz2.sig
8. https://downloads.powerdns.com/releases/pdns-recursor-4.8.4.tar.bz2
9. https://downloads.powerdns.com/releases/pdns-recursor-4.8.4.tar.bz2.sig
10. https://downloads.powerdns.com/releases/
11. https://downloads.powerdns.com/patches/2023-01/
12. https://repo.powerdns.com/
13. https://docs.powerdns.com/recursor/appendices/EOL.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20230329/4a6ddb50/attachment.sig>
More information about the Pdns-announce
mailing list