|
Message-ID: <1494875110.1183.1707891026523@appsuite-guard.open-xchange.com>
Date: Wed, 14 Feb 2024 07:10:26 +0100 (CET)
From: Otto Moerbeek <otto.moerbeek@...erdns.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a
zone can lead to a denial of service in Recursor
We have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2.
These releases fix PowerDNS Security Advisory 2024-01: crafted DNSSEC
records in a zone can lead to a denial of service in Recursor. The
Advisory follows:
PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead
to a denial of service in Recursor
* CVE: CVE-2023-50387 and CVE-2023-50868
* Date: 13th of February 2024.
* Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and
5.0.1
* Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2
* Severity: High
* Impact: Denial of service
* Exploit: This problem can be triggered by an attacker publishing a
crafted zone
* Risk of system compromise: None
* Solution: Upgrade to patched version or disable DNSSEC validation
An attacker can publish a zone that contains crafted DNSSEC related
records. While validating results from queries to that zone using the
RFC mandated algorithms, the Recursorâs resource usage can become so
high that processing of other queries is impacted, resulting in a
denial of service. Note that any resolver following the RFCs can be
impacted, this is not a problem of this particular implementation.
CVSS Score: 7.5, see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:N/UI:N/S:U/C:N/I:N/A:H&version=3.1[2]
The remedies are one of:
* upgrade to a patched version
* disable DNSSEC validation by setting dnssec=off or
process-no-validate; when using YAML settings: dnssec.validate: off
or process-no-validate. Note that this will affect clients
depending on DNSSEC validation.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and
Michael Waidner from the German National Research Center for Applied
Cybersecurity ATHENE for bringing CVE-2023-50387 to the attention of
the DNS community and especially Niklas Vogel for his assistance in
validating the patches. We would also like to thank Petr Spacek from
ISC for discovering and responsibly disclosing CVE-2023-50868.
__________________________________________________________________
Please refer to the changelogs (4.8.6[3], 4.9.3[4] and 5.0.2[5]) and
upgrade guide for additional details. The upgrade guide describes one
known issue related to the zoneToCache function.
Please send us all feedback and issues you might have via the mailing
list[6], or in case of a bug, via GitHub[7].
The tarballs (4.8.6[8], 4.9.3[9], 5.0.2[10]) (with signature files
4.8.6[11], 4.9.3[12], 5.0.2[13]) are available from our
download server[14] and packages for several distributions are
available from our repository[15].
We are grateful to the PowerDNS community for the reporting of bugs,
issues, feature requests, and especially to the submitters of fixes and
implementations of features.
References
1. file:///Users/otto/pdns/pdns/recursordist/html-docs/security-advisories/powerdns-advisory-2024-01.html#powerdns-security-advisory-2024-01-crafted-dnssec-records-in-a-zone-can-lead-to-a-denial-of-service-in-recursor
2. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
3. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.6
4. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.3
5. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.2
6. https://mailman.powerdns.com/mailman/listinfo/pdns-users
7. https://github.com/PowerDNS/pdns/issues/new/choose
8. https://downloads.powerdns.com/releases/pdns-recursor-4.8.6.tar.bz2
9. https://downloads.powerdns.com/releases/pdns-recursor-4.9.3.tar.bz2
10. https://downloads.powerdns.com/releases/pdns-recursor-5.0.2.tar.bz2
11. https://downloads.powerdns.com/releases/pdns-recursor-4.8.6.tar.bz2.sig
12. https://downloads.powerdns.com/releases/pdns-recursor-4.9.3.tar.bz2.sig
13. https://downloads.powerdns.com/releases/pdns-recursor-5.0.2.tar.bz2.sig
14. https://downloads.powerdns.com/releases/
15. https://repo.powerdns.com/
--
kind regards,
Otto Moerbeek
Senior Developer PowerDNS
Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerbeek@...n-xchange.com
-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt
PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-------------------------------------------------------------------------------------
Download attachment "signature.asc" of type "application/pgp-signature" (476 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.