[Pdns-users] PowerDNS Security Advisory 2012-01: Denial of Service vulnerability in most versions of the PowerDNS Authoritative Server

Charles Sprickman spork at bway.net
Tue Jan 10 17:29:08 UTC 2012


Two quick questions for those of us not running Linux:

-Are you coordinating with the FreeBSD port maintainer to get the new version pushed out?  (http://www.freshports.org/dns/powerdns)
-For those of us unfamiliar with iptables, can you describe in a more generic fashion what that rule is accomplishing?

Thanks,

Charles

On Jan 10, 2012, at 9:01 AM, bert hubert wrote:

> Dear PowerDNS users,
> 
> It saddens us to have to release this Security Advisory, the first one since
> almost exactly two years ago.
> 
> Updated versions of the Authoritative Server are available from
> http://www.powerdns.com/content/downloads.html and you will find two
> workarounds and a patch below. 
> 
> A version of this announcement with clickable links is available from
> http://doc.powerdns.com/powerdns-advisory-2012-01.html
> 
> If you have problems upgrading and would like us to help you, please contact
> powerdns.support at netherlabs.nl for a support arrangement.
> 
> +-------------+---------------------------------------------------------------+
> |CVE          |CVE-2012-0206                                                  |
> +-------------+---------------------------------------------------------------+
> |Date         |10th of January 2012                                           |
> +-------------+---------------------------------------------------------------+
> |Credit       |Ray Morris of BetterCGI.com.                                   |
> +-------------+---------------------------------------------------------------+
> |Affects      |Most PowerDNS Authoritative Server versions < 3.0.1 (with the  |
> |             |exception of the just released 2.9.22.5)                       |
> +-------------+---------------------------------------------------------------+
> |Not affected |No versions of the PowerDNS Recursor ('pdns_recursor') are     |
> |             |affected.                                                      |
> +-------------+---------------------------------------------------------------+
> |Severity     |High                                                           |
> +-------------+---------------------------------------------------------------+
> |             |Using well crafted UDP packets, one or more PowerDNS servers   |
> |Impact       |could be made to enter a tight packet loop, causing temporary  |
> |             |denial of service                                              |
> +-------------+---------------------------------------------------------------+
> |Exploit      |Proof of concept                                               |
> +-------------+---------------------------------------------------------------+
> |Risk of      |                                                               |
> |system       |No                                                             |
> |compromise   |                                                               |
> +-------------+---------------------------------------------------------------+
> |Solution     |Upgrade to PowerDNS Recursor 2.9.22.5 or 3.0.1                 |
> +-------------+---------------------------------------------------------------+
> |Workaround   |Several, the easiest is setting: cache-ttl=0, which does have a|
> |             |performance impact. Please see below.                          |
> +-------------+---------------------------------------------------------------+
> 
> 
> Affected versions of the PowerDNS Authoritative Server can be made to
> respond to DNS responses, thus enabling an attacker to setup a packet loop
> between two PowerDNS servers, perpetually answering each other's answers. 
> In some scenarios, a server could also be made to talk to itself, achieving
> the same effect.
> 
> If enough bouncing traffic is generated, this will overwhelm the server or
> network and disrupt service.
> 
> As a workaround, if upgrading to a non-affected version is not possible,
> several options are available.  The issue is caused by the packet-cache,
> which can be disabled by setting 'cache-ttl=0', although this does incur a
> performance penalty.  This can be partially addressed by raising the
> query-cache-ttl to a (far) higher value.
> 
> Alternatively, on Linux systems with a working iptables setup, 'responses'
> sent to the PowerDNS Authoritative Server 'question' address can be blocked
> by issuing:
> 
> # iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C at 8>>15&0x01=1" -j DROP
> 
> 
> If this command is used on a router or firewall, substitute FORWARD for INPUT.
> 
> To solve this issue, we recommend upgrading to the latest packages available
> for your system. Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5
> and 3.0.1 have been uploaded to our download site. Kees Monshouwer has provided
> updated CentOS/RHEL packages in his repository. Debian, Fedora and SuSE should
> have packages available shortly after this announcement.
> 
> For those running custom PowerDNS versions, just applying this patch may be
> easier:
> 
> --- pdns/common_startup.cc   (revision 2326)
> +++ pdns/common_startup.cc   (working copy)
> @@ -253,7 +253,9 @@
>       numreceived4++;
>     else
>       numreceived6++;
> -
> +    if(P->d.qr)
> +      continue;
> +
>     S.ringAccount("queries", P->qdomain+"/"+P->qtype.getName());
>     S.ringAccount("remotes",P->getRemote());
>     if(logDNSQueries) {
> 
> It should apply cleanly to 3.0 and with little trouble to several older
> releases, including 2.9.22 and 2.9.21.
> 
> This bug resurfaced because over time, the check for 'not responding to
> responses' moved to the wrong place, allowing certain responses to be processed
> anyhow.
> 
> We would like to thank Ray Morris of BetterCGI.com for bringing this issue to
> our attention and Aki Tuomi for helping us reproduce the problem.
> 
> Kind regards,
> 
> Bert Hubert
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users




More information about the Pdns-users mailing list