[arch-security] [ASA-201711-31] powerdns-recursor: multiple issues
Remi Gacogne
rgacogne at archlinux.org
Mon Nov 27 23:04:24 UTC 2017
Arch Linux Security Advisory ASA-201711-31
==========================================
Severity: Medium
Date : 2017-11-27
CVE-ID : CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094
Package : powerdns-recursor
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-520
Summary
=======
The package powerdns-recursor before version 4.0.7-1 is vulnerable to
multiple issues including cross-site scripting, denial of service and
insufficient validation.
Resolution
==========
Upgrade to 4.0.7-1.
# pacman -Syu "powerdns-recursor>=4.0.7-1"
The problems have been fixed upstream in version 4.0.7.
Workaround
==========
It is possible to work around CVE-2017-15093 by disabling the ability
to alter the configuration via the API by setting 'api-config-dir' to
an empty value (default), or by marking the API read-only via the 'api-
readonly' setting.
Description
===========
- CVE-2017-15090 (insufficient validation)
An issue has been found in the DNSSEC validation component of PowerDNS
Recursor from 4.0.0 up to and including 4.0.5, where the signatures
might have been accepted as valid even if the signed data was not in
bailiwick of the DNSKEY used to sign it. This allows an attacker in
position of man-in-the-middle to alter the content of records by
issuing a valid signature for the crafted records.
- CVE-2017-15092 (cross-site scripting)
An issue has been found in the web interface of PowerDNS Recursor from
4.0.0 and up to and including 4.0.6, where the qname of DNS queries was
displayed without any escaping, allowing a remote attacker to inject
HTML and Javascript code into the web interface, altering the content.
- CVE-2017-15093 (insufficient validation)
An issue has been found in the API of PowerDNS Recursor < 4.0.7, during
a source code audit by Nixu. When 'api-config-dir' is set to a non-
empty value, which is not the case by default, the API allows an
authorized user to update the Recursor’s ACL by adding and removing
netmasks, and to configure forward zones. It was discovered that the
new netmask and IP addresses of forwarded zones were not sufficiently
validated, allowing an authenticated user to inject new configuration
directives into the Recursor’s configuration.
- CVE-2017-15094 (denial of service)
An issue has been found in the DNSSEC parsing code of PowerDNS Recursor
from 4.0.0 and up to and including 4.0.6, during a code audit by Nixu,
leading to a memory leak when parsing specially crafted DNSSEC ECDSA
keys. These keys are only parsed when validation is enabled by setting
'dnssec' to a value other than 'off' or 'process-no-validate'
(default).
Impact
======
A remote, unauthenticated attacker can inject Javascript code into the
web interface, or can cause a denial of service via crafted DNSSEC
signatures. An attacker in position of man-in-the-middle can also
bypass DNSSEC validation via a crafted signature. In addition to that,
a remote authenticated attacker with access to the API can inject
unexpected directives into the configuration file.
References
==========
http://seclists.org/oss-sec/2017/q4/329
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html
https://github.com/PowerDNS/pdns/commit/9aed598c9a0a8f9b3a2a9c2310023d56c4a26ef8
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html
https://github.com/PowerDNS/pdns/commit/fd30387c26144cda3a5ab50c3946635bec1020b7
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html
https://github.com/PowerDNS/pdns/commit/badf9e8900428f21585f7f929aeddc87cd0d2069
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html
https://github.com/PowerDNS/pdns/commit/e87fe3987ab9a3b900544a0fc3bcf41068eef92a
https://security.archlinux.org/CVE-2017-15090
https://security.archlinux.org/CVE-2017-15092
https://security.archlinux.org/CVE-2017-15093
https://security.archlinux.org/CVE-2017-15094
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20171128/c234f128/attachment.asc>
More information about the arch-security
mailing list