[Pdns-users] Security Advisory 2022-01 for PowerDNS Authoritative Server 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7, 4.6.0
Otto Moerbeek
otto.moerbeek at open-xchange.com
Fri Mar 25 12:30:53 UTC 2022
Hello,
Today we have released PowerDNS Authoritative Server 4.4.3, 4.5.4 and
4.6.1, and PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1 due to a low
severity issue found in both products.
* In the Authoritative server this issue only applies to secondary
zones for which IXFR transfers have been enabled and the network
path to the primary server is not trusted. Note that IXFR transfers
are not enabled by default.
* In the Recursor it applies to setups retrieving one or more RPZ
zones from a remote server if the network path to the server is not
trusted.
Tarballs and signatures are available at
https://downloads.powerdns.com/releases/[1], and patches are available
at https://downloads.powerdns.com/patches/2022-01/[2]. However, the
releases contain no other changes, with the exception of our EL8
builds, which were switched from CentOS 8 to Oracle Linux 8.
Please find the full text of the advisory below.
__________________________________________________________________
PowerDNS Security Advisory 2022-01: incomplete validation of incoming
IXFR transfer in Authoritative Server and Recursor.
* CVE: CVE-2022-27227
* Date: 25th of March 2022.
* Affects: PowerDNS Authoritative version 4.4.2, 4.5.3, 4.6.0 and
PowerDNS Recursor 4.4.7, 4.5.7 and 4.6.0
* Not affected: PowerDNS Authoritative Server 4.4.3, 4.5.4, 4.6.1 and
PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1
* Severity: Low
* Impact: Denial of service
* Exploit: This problem can be triggered by an attacker controlling
the network path for IXFR transfers
* Risk of system compromise: None
* Solution: Upgrade to patched version, do not use IXFR in
Authoritative Server
In the Authoritative server this issue only applies to secondary zones
for which IXFR transfers have been enabled and the network path to the
primary server is not trusted. Note that IXFR transfers are not enabled
by default.
In the Recursor it applies to setups retrieving one or more RPZ zones
from a remote server if the network path to the server is not trusted.
IXFR usually exchanges only the modifications between two versions of a
zone, but sometimes needs to fall back to a full transfer of the
current version.
When IXFR falls back to a full zone transfer, an attacker in position
of man-in-the-middle can cause the transfer to be prematurely
interrupted. This interrupted transfer is mistakenly interpreted as a
complete transfer, causing an incomplete zone to be processed.
For the Authoritative Server, IXFR transfers are not enabled by
default.
The Recursor only uses IXFR for retrieving RPZ zones. An incomplete RPZ
transfer results in missing policy entries, potentially causing some
DNS names and IP addresses to not be properly intercepted.
We would like to thank Nicolas Dehaine and Dmitry Shabanov from
ThreatSTOP for reporting and initial analysis of this issue.
References
1. https://downloads.powerdns.com/releases/
2. https://downloads.powerdns.com/patches/2021-01/
--
kind regards,
Otto Moerbeek
PowerDNS Developer
Email: otto.moerbeek at open-xchange.com
-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt
PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220325/5eeed423/attachment.sig>
More information about the Pdns-users
mailing list