[Pdns-users] Regarding CVE-2015-7547 & PowerDNS Recursor

bert hubert bert.hubert at powerdns.com
Wed Feb 17 12:56:31 UTC 2016


Since yesterday we have been following and studying CVE-2015-7547. More
about which on
https://googleonlinesecurity.blogspot.nl/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

In short, this is a vulnerability not in PowerDNS products but in the Linux
C library. This vulnerability could be exploited if it would be possible to
relay specifically crafted records to Linux clients.

It appears the PowerDNS Recursor out of the box makes it hard to transport
such specifically crafted records. 

However, at this point there is still uncertainty over how CVE-2015-7547
could be exploited exactly. It may be that there are still ways to get the
PowerDNS Recursor to relay content that could exploit vulnerable clients.

(we have tweeted earlier that we thought this was not possible. It now
appears not enough is known about CVE-2015-7547 to be sure).

To be on the safe side, we have published a Lua script that puts in place
further restrictions in the recursor that should help block CVE-2015-7547,
as far as we currently understand it.

We urge everyone to patch their Linux C libraries of course. But as long as
this is in progress or not yet possible, this script may help you protect
vulnerable systems:

function postresolve ( remoteip, domain, qtype, records, origrcode )
        local len=0
        for key,val in ipairs(records)
        do
                len = len + #val.qname + #val.content + 16
        end
        if(len < 2048) then
                return -1,{}
        else
                -- pdnslog("Protected "..remoteip.." against an overly large
                -- response of "..len.." bytes")
                return -2,{}
        end
end

It is also available on: https://gist.github.com/ahupowerdns/0f7de247dd200dea41bf
which also mentions how to install the script.

NOTE: We will keep updating the version of the script on GitHub and on our
blog. Please check back for updates.

Please let us know if you have further questions!

	Bert



More information about the Pdns-users mailing list