Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <389814453.6469.1648211788568@appsuite-guard.open-xchange.com>
Date: Fri, 25 Mar 2022 13:36:28 +0100 (CET)
From: Otto Moerbeek <otto.moerbeek@...n-xchange.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Security Advisory 2022-01 for PowerDNS Authoritative Server 4.4.2,
 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7, 4.6.0

   Hello,

   Today we have released PowerDNS Authoritative Server 4.4.3, 4.5.4 and
   4.6.1, and PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1 due to a low
   severity issue found in both products.
     * In the Authoritative server this issue only applies to secondary
       zones for which IXFR transfers have been enabled and the network
       path to the primary server is not trusted. Note that IXFR transfers
       are not enabled by default.
     * In the Recursor it applies to setups retrieving one or more RPZ
       zones from a remote server if the network path to the server is not
       trusted.

   Tarballs and signatures are available at
   https://downloads.powerdns.com/releases/[1], and patches are available
   at https://downloads.powerdns.com/patches/2022-01/[2]. However, the
   releases contain no other changes, with the exception of our EL8
   builds, which were switched from CentOS 8 to Oracle Linux 8.

   Please find the full text of the advisory below.
     __________________________________________________________________

   PowerDNS Security Advisory 2022-01: incomplete validation of incoming
   IXFR transfer in Authoritative Server and Recursor.
     * CVE: CVE-2022-27227
     * Date: 25th of March 2022.
     * Affects: PowerDNS Authoritative version 4.4.2, 4.5.3, 4.6.0 and
       PowerDNS Recursor 4.4.7, 4.5.7 and 4.6.0
     * Not affected: PowerDNS Authoritative Server 4.4.3, 4.5.4, 4.6.1 and
       PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1
     * Severity: Low
     * Impact: Denial of service
     * Exploit: This problem can be triggered by an attacker controlling
       the network path for IXFR transfers
     * Risk of system compromise: None
     * Solution: Upgrade to patched version, do not use IXFR in
       Authoritative Server

   In the Authoritative server this issue only applies to secondary zones
   for which IXFR transfers have been enabled and the network path to the
   primary server is not trusted. Note that IXFR transfers are not enabled
   by default.

   In the Recursor it applies to setups retrieving one or more RPZ zones
   from a remote server if the network path to the server is not trusted.

   IXFR usually exchanges only the modifications between two versions of a
   zone, but sometimes needs to fall back to a full transfer of the
   current version.

   When IXFR falls back to a full zone transfer, an attacker in position
   of man-in-the-middle can cause the transfer to be prematurely
   interrupted. This interrupted transfer is mistakenly interpreted as a
   complete transfer, causing an incomplete zone to be processed.

   For the Authoritative Server, IXFR transfers are not enabled by
   default.
   The Recursor only uses IXFR for retrieving RPZ zones. An incomplete RPZ
   transfer results in missing policy entries, potentially causing some
   DNS names and IP addresses to not be properly intercepted.

   We would like to thank Nicolas Dehaine and Dmitry Shabanov from
   ThreatSTOP for reporting and initial analysis of this issue.

References

   1. https://downloads.powerdns.com/releases/
   2. https://downloads.powerdns.com/patches/2021-01/


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerbeek@...n-xchange.com


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------

Download attachment "signature.asc" of type "application/pgp-signature" (476 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.