ArchLinux: 202107-73: powerdns: denial of service | LinuxSecurity.com

Advisories

Arch Linux Security Advisory ASA-202107-73
==========================================

Severity: Medium
Date    : 2021-07-27
CVE-ID  : CVE-2021-36754
Package : powerdns
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2222

Summary
=======

The package powerdns before version 4.5.1-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 4.5.1-1.

# pacman -Syu "powerdns>=4.5.1-1"

The problem has been fixed upstream in version 4.5.1.

Workaround
==========

Users that cannot upgrade immediately, but do have dnsdist in place,
can use dnsdist to filter such queries before they do harm, with
something like addAction(QTypeRule(65535),
RCodeAction(DNSRCode.REFUSED)).

Description
===========

PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of
bounds exception if it receives a query with QTYPE 65535. The offending
code was not present in earlier versions, and they are not affected.

Users that cannot upgrade immediately, but do have dnsdist in place,
can use dnsdist to filter such queries before they do harm, with
something like addAction(QTypeRule(65535),
RCodeAction(DNSRCode.REFUSED)).

When the PowerDNS Authoritative Server is run inside a supervisor like
supervisord or systemd, an uncaught exception crash will lead to an
automatic restart, limiting the impact to a somewhat degraded service.

Impact
======

A remote attacker could crash the DNS server with a crafted query.

References
==========

https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
https://downloads.powerdns.com/patches/2021-01/pdns-4.5.0-2021-01.patch
https://github.com/PowerDNS/pdns/commit/96cae2fd21054b383a16c569a363a50f71808cd9
https://security.archlinux.org/CVE-2021-36754

ArchLinux: 202107-73: powerdns: denial of service

July 30, 2021
The package powerdns before version 4.5.1-1 is vulnerable to denial of service

Summary

PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.
Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).
When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

Resolution

Upgrade to 4.5.1-1.
# pacman -Syu "powerdns>=4.5.1-1"
The problem has been fixed upstream in version 4.5.1.

References

https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html https://downloads.powerdns.com/patches/2021-01/pdns-4.5.0-2021-01.patch https://github.com/PowerDNS/pdns/commit/96cae2fd21054b383a16c569a363a50f71808cd9 https://security.archlinux.org/CVE-2021-36754

Severity
CVE-ID : CVE-2021-36754
Package : powerdns
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2222

Impact

A remote attacker could crash the DNS server with a crafted query.

Workaround

Users that cannot upgrade immediately, but do have dnsdist in place,can use dnsdist to filter such queries before they do harm, withsomething like addAction(QTypeRule(65535),RCodeAction(DNSRCode.REFUSED)).

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.