ArchLinux: 201711-31: powerdns-recursor: multiple issues
Summary
- CVE-2017-15090 (insufficient validation)
An issue has been found in the DNSSEC validation component of PowerDNS
Recursor from 4.0.0 up to and including 4.0.5, where the signatures
might have been accepted as valid even if the signed data was not in
bailiwick of the DNSKEY used to sign it. This allows an attacker in
position of man-in-the-middle to alter the content of records by
issuing a valid signature for the crafted records.
- CVE-2017-15092 (cross-site scripting)
An issue has been found in the web interface of PowerDNS Recursor from
4.0.0 and up to and including 4.0.6, where the qname of DNS queries was
displayed without any escaping, allowing a remote attacker to inject
HTML and Javascript code into the web interface, altering the content.
- CVE-2017-15093 (insufficient validation)
An issue has been found in the API of PowerDNS Recursor < 4.0.7, during
a source code audit by Nixu. When 'api-config-dir' is set to a non-empty value, which is not the case by default, the API allows an
authorized user to update the Recursor’s ACL by adding and removing
netmasks, and to configure forward zones. It was discovered that the
new netmask and IP addresses of forwarded zones were not sufficiently
validated, allowing an authenticated user to inject new configuration
directives into the Recursor’s configuration.
- CVE-2017-15094 (denial of service)
An issue has been found in the DNSSEC parsing code of PowerDNS Recursor
from 4.0.0 and up to and including 4.0.6, during a code audit by Nixu,
leading to a memory leak when parsing specially crafted DNSSEC ECDSA
keys. These keys are only parsed when validation is enabled by setting
'dnssec' to a value other than 'off' or 'process-no-validate'
(default).
Resolution
Upgrade to 4.0.7-1.
# pacman -Syu "powerdns-recursor>=4.0.7-1"
The problems have been fixed upstream in version 4.0.7.
References
https://seclists.org/oss-sec/2017/q4/329 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://github.com/PowerDNS/pdns/commit/9aed598c9a0a8f9b3a2a9c2310023d56c4a26ef8 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://github.com/PowerDNS/pdns/commit/fd30387c26144cda3a5ab50c3946635bec1020b7 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://github.com/PowerDNS/pdns/commit/badf9e8900428f21585f7f929aeddc87cd0d2069 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html https://github.com/PowerDNS/pdns/commit/e87fe3987ab9a3b900544a0fc3bcf41068eef92a https://security.archlinux.org/CVE-2017-15090 https://security.archlinux.org/CVE-2017-15092 https://security.archlinux.org/CVE-2017-15093 https://security.archlinux.org/CVE-2017-15094
![Dist Arch](/images/distros/dist-arch.png)
Workaround
It is possible to work around CVE-2017-15093 by disabling the ability to alter the configuration via the API by setting 'api-config-dir' to an empty value (default), or by marking the API read-only via the 'api-readonly' setting.