Open source nameserver used by millions needs patching

PowerDNS admins, feel free to fix these DNSSEC bugs before something nasty happens

Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today.

None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways.

That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed, or if the wrong network promises it's the best way to reach YouTube, then YouTube is blackholed.

Recursor has been hit by CVE-2017-15090, a bug in its DNSSEC signature validation the company said could let a man-in-the-middle attacker issue a valid signature for bogus records.

DNSSEC implementation has also been fingered for CVE-2017-15094, a denial-of-service bug. In the admittedly unlikely event that an attack came from an authoritative server, crafted packets would cause a memory leak in Recursor.

CVE-2017-15092 has been indentified as a cross-site scripting bug in the PowerDNS Recursor's Web interface.

The software exposed DNS queries' QName (an XML element used for URI references) without escaping, which would let an attacker inject HTML or JavaScript into the interface by sending crafted DNS queries.

The PowerDNS Recursor is also subject to configuration file injection in its API. CVE-2017-15093 is only vulnerable to authorised users, and if you can't patch, you can disable configuration editing via the API.

Finally, PowerDNS Authoritative needs patching against CVE-2017-15091, to fix a missing check on API operations.

PowerDNS's Remi Gacogne told the OSS-Sec mailing list the bugs affect only non-default configurations, and noted that users on the version 3 stream can download "minimal" patches.

The bugs hit Recursor 4.0.0 through 4.0.6. The Authoritative bug struck up to and including version 4.0.4, plus version 3.4.11. ?


Biting the hand that feeds IT ? 1998–2017