ArchLinux: 201609-9: powerdns: denial of service
Summary
Two issues have been found in PowerDNS Authoritative Server allowing a
remote, unauthenticated attacker to cause an abnormal load on the
PowerDNS backend by sending crafted DNS queries, which might result in a
partial denial of service if the backend becomes overloaded. SQL
backends for example are particularly vulnerable to this kind of
unexpected load if they have not been dimensioned for it.
- CVE-2016-5426
PowerDNS Authoritative Server accepts queries with a qname's length
larger than 255 bytes.
- CVE-2016-5427
PowerDNS Authoritative Server does not properly handle dot inside labels.
Resolution
Upgrade to 4.0.1-3.
# pacman -Syu "powerdns>=4.0.1-3"
The problems have been fixed upstream in version 4.0.0.
References
https://seclists.org/oss-sec/2016/q3/464 https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/ https://access.redhat.com/security/cve/CVE-2016-5426 https://access.redhat.com/security/cve/CVE-2016-5427
Workaround
Running dnsdist in front of potentially affected servers prevents CVE-2016-5426, and can prevent CVE-2016-5427 with the use of custom rules described in the PowerDNS advisory.