Open source nameserver used by millions needs patching

PowerDNS admins, feel free to fix these DNSSEC bugs before something nasty happens

Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today.

None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways.

That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed, or if the wrong network promises it's the best way to reach YouTube, then YouTube is blackholed.

Recursor has been hit by CVE-2017-15090, a bug in its DNSSEC signature validation the company said could let a man-in-the-middle attacker issue a valid signature for bogus records.

DNSSEC implementation has also been fingered for CVE-2017-15094, a denial-of-service bug. In the admittedly unlikely event that an attack came from an authoritative server, crafted packets would cause a memory leak in Recursor.

CVE-2017-15092 has been indentified as a cross-site scripting bug in the PowerDNS Recursor's Web interface.

The software exposed DNS queries' QName (an XML element used for URI references) without escaping, which would let an attacker inject HTML or JavaScript into the interface by sending crafted DNS queries.

The PowerDNS Recursor is also subject to configuration file injection in its API. CVE-2017-15093 is only vulnerable to authorised users, and if you can't patch, you can disable configuration editing via the API.

Finally, PowerDNS Authoritative needs patching against CVE-2017-15091, to fix a missing check on API operations.

PowerDNS's Remi Gacogne told the OSS-Sec mailing list the bugs affect only non-default configurations, and noted that users on the version 3 stream can download "minimal" patches.

The bugs hit Recursor 4.0.0 through 4.0.6. The Authoritative bug struck up to and including version 4.0.4, plus version 3.4.11. ?

Biting the hand that feeds IT ? 1998–2017

                                    1. 3239961348 2018-02-21
                                    2. 8189611347 2018-02-21
                                    3. 1166571346 2018-02-21
                                    4. 905911345 2018-02-21
                                    5. 238301344 2018-02-21
                                    6. 9856121343 2018-02-21
                                    7. 7107891342 2018-02-21
                                    8. 616201341 2018-02-21
                                    9. 97671340 2018-02-21
                                    10. 7844621339 2018-02-21
                                    11. 9607131338 2018-02-21
                                    12. 3095441337 2018-02-21
                                    13. 9602111336 2018-02-21
                                    14. 5723751335 2018-02-21
                                    15. 1275371334 2018-02-21
                                    16. 8517591333 2018-02-21
                                    17. 230661332 2018-02-21
                                    18. 3311101331 2018-02-21
                                    19. 6181321330 2018-02-20
                                    20. 6139401329 2018-02-20