[Pdns-dev] Two PowerDNS Recursor Vulnerabilities

bert hubert bert.hubert at netherlabs.nl
Mon Nov 13 20:34:59 CET 2006


Please find attached two PowerDNS Recursor Vulnerabilities. 

PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a
buffer overflow which might be exploitable

   Table 1-1. PowerDNS Security Advisory

   +------------------------------------------------------------------------+
   | CVE          | CVE-2006-4251                                           |
   |--------------+---------------------------------------------------------|
   | Date         | 13th of November 2006                                   |
   |--------------+---------------------------------------------------------|
   | Affects      | PowerDNS Recursor versions 3.1.3 and earlier, on all    |
   |              | operating systems.                                      |
   |--------------+---------------------------------------------------------|
   | Not affected | No versions of the PowerDNS Authoritative Server        |
   |              | ('pdns_server') are affected.                           |
   |--------------+---------------------------------------------------------|
   | Severity     | Critical                                                |
   |--------------+---------------------------------------------------------|
   | Impact       | Potential remote system compromise.                     |
   |--------------+---------------------------------------------------------|
   | Exploit      | As far as we know, no exploit is available as of 11th   |
   |              | of November 2006.                                       |
   |--------------+---------------------------------------------------------|
   | Solution     | Upgrade to PowerDNS Recursor 3.1.4, or apply the        |
   |              | patches referred below and recompile                    |
   |--------------+---------------------------------------------------------|
   |              | Disable TCP access to the Recursor. This will have      |
   |              | slight operational impact, but it is likely that this   |
   |              | will not lead to meaningful degradation of service.     |
   |              | Disabling access is best performed at packet level,     |
   | Workaround   | either by configuring a firewall, or instructing the    |
   |              | host operating system to drop TCP connections to port   |
   |              | 53. Additionally, exposure can be limited by            |
   |              | configuring the allow-from setting so only trusted      |
   |              | users can query your nameserver.                        |
   +------------------------------------------------------------------------+

   PowerDNS Recursor 3.1.3 and previous miscalculate the length of incoming
   TCP DNS queries, and will attempt to read up to 4 gigabytes of query into
   a 65535 byte buffer.

   We have not verified if this problem might actually lead to a system
   compromise, but are acting on the assumption that it might.

   For distributors, a minimal patch is available on the PowerDNS wiki.
   Additionally, those shipping very old versions of the PowerDNS Recursor
   might benefit from this patch.

   The impact of these and other security problems can be lessened by
   considering the advice in Chapter 7.

PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make
PowerDNS exhaust allocated stack space, and crash

   Table 1-2. PowerDNS Security Advisory

   +------------------------------------------------------------------------+
   | CVE          | CVE-2006-4252                                           |
   |--------------+---------------------------------------------------------|
   | Date         | 13th of November 2006                                   |
   |--------------+---------------------------------------------------------|
   | Affects      | PowerDNS Recursor versions 3.1.3 and earlier, on all    |
   |              | operating systems.                                      |
   |--------------+---------------------------------------------------------|
   | Not affected | No versions of the PowerDNS Authoritative Server        |
   |              | ('pdns_server') are affected.                           |
   |--------------+---------------------------------------------------------|
   | Severity     | Moderate                                                |
   |--------------+---------------------------------------------------------|
   | Impact       | Denial of service                                       |
   |--------------+---------------------------------------------------------|
   | Exploit      | This problem can be triggered by sending queries for    |
   |              | specifically configured domains                         |
   |--------------+---------------------------------------------------------|
   | Solution     | Upgrade to PowerDNS Recursor 3.1.4, or apply commit     |
   |              | 919.                                                    |
   |--------------+---------------------------------------------------------|
   |              | None known. Exposure can be limited by configuring the  |
   | Workaround   | allow-from setting so only trusted users can query your |
   |              | nameserver.                                             |
   +------------------------------------------------------------------------+

   PowerDNS would recurse endlessly on encountering a CNAME loop consisting
   entirely of zero second CNAME records, eventually exceeding resources and
   crashing.



-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services


More information about the Pdns-dev mailing list