ArchLinux: 201701-29: powerdns: multiple issues
Summary
- CVE-2016-2120 (denial of service)
An issue has been found in PowerDNS Authoritative Server allowing an
authorized user to crash the server by inserting a specially crafted
record in a zone under their control then sending a DNS query for that
record. The issue is due to an integer overflow when checking if the
content of the record matches the expected size, allowing an attacker
to cause a read past the buffer boundary.
- CVE-2016-7068 (denial of service)
An issue has been found in PowerDNS allowing a remote, unauthenticated
attacker to cause an abnormal CPU usage load on the PowerDNS server by
sending crafted DNS queries, which might result in a partial denial of
service if the system becomes overloaded. This issue is based on the
fact that the PowerDNS server parses all records present in a query
regardless of whether they are needed or even legitimate. A specially
crafted query containing a large number of records can be used to take
advantage of that behaviour.
- CVE-2016-7072 (denial of service)
An issue has been found in PowerDNS Authoritative Server allowing a
remote, unauthenticated attacker to cause a denial of service by
opening a large number of TCP connections to the web server. If the web
server runs out of file descriptors, it triggers an exception and
terminates the whole PowerDNS process. While it's more complicated for
an unauthorized attacker to make the web server run out of file
descriptors since its connection will be closed just after being
accepted, it might still be possible.
- CVE-2016-7073 (insufficient validation)
An issue has been found in PowerDNS Authoritative Server and PowerDNS
Recursor allowing an attacker in position of man-in-the-middle to alter
the content of an AXFR because of insufficient validation of TSIG
signatures. A missing check of the TSIG time and fudge values in
AXFRRetriever, leading to a possible replay attack.
- CVE-2016-7074 (insufficient validation)
An issue has been found in PowerDNS Authoritative Server and PowerDNS
Recursor allowing an attacker in position of man-in-the-middle to alter
the content of an AXFR because of insufficient validation of TSIG
signatures. A missing check that the TSIG record is the last one,
leading to the possibility of parsing records that are not covered by
the TSIG signature.
Resolution
Upgrade to 4.0.2-1.
# pacman -Syu "powerdns>=4.0.2-1"
The problems have been fixed upstream in version 4.0.2.
References
https://seclists.org/oss-sec/2017/q1/97 https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/ https://security.archlinux.org/CVE-2016-2120 https://security.archlinux.org/CVE-2016-7068 https://security.archlinux.org/CVE-2016-7072 https://security.archlinux.org/CVE-2016-7073 https://security.archlinux.org/CVE-2016-7074
Workaround
None.