PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Otto Moerbeek &lt;otto.moerbeek () powerdns com&gt;

Date: Wed, 14 Feb 2024 07:10:26 +0100 (CET)

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
We have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2.

   These releases fix PowerDNS Security Advisory 2024-01: crafted DNSSEC
   records in a zone can lead to a denial of service in Recursor. The
   Advisory follows:

PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead
to a denial of service in Recursor

     * CVE: CVE-2023-50387 and CVE-2023-50868
     * Date: 13th of February 2024.
     * Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and
       5.0.1
     * Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2
     * Severity: High
     * Impact: Denial of service
     * Exploit: This problem can be triggered by an attacker publishing a
       crafted zone
     * Risk of system compromise: None
     * Solution: Upgrade to patched version or disable DNSSEC validation

   An attacker can publish a zone that contains crafted DNSSEC related
   records. While validating results from queries to that zone using the
   RFC mandated algorithms, the Recursorâs resource usage can become so
   high that processing of other queries is impacted, resulting in a
   denial of service. Note that any resolver following the RFCs can be
   impacted, this is not a problem of this particular implementation.

   CVSS Score: 7.5, see
   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
   R:N/UI:N/S:U/C:N/I:N/A:H&amp;version=3.1[2]

   The remedies are one of:

     * upgrade to a patched version
     * disable DNSSEC validation by setting dnssec=off or
       process-no-validate; when using YAML settings: dnssec.validate: off
       or process-no-validate. Note that this will affect clients
       depending on DNSSEC validation.

   We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and
   Michael Waidner from the German National Research Center for Applied
   Cybersecurity ATHENE for bringing CVE-2023-50387 to the attention of
   the DNS community and especially Niklas Vogel for his assistance in
   validating the patches. We would also like to thank Petr Spacek from
   ISC for discovering and responsibly disclosing CVE-2023-50868.
     __________________________________________________________________

   Please refer to the changelogs  (4.8.6[3], 4.9.3[4] and 5.0.2[5]) and
   upgrade guide for additional details. The upgrade guide describes one
   known issue related to the zoneToCache function.

   Please send us all feedback and issues you might have via the mailing
   list[6], or in case of a bug, via GitHub[7].

   The tarballs (4.8.6[8], 4.9.3[9], 5.0.2[10]) (with signature files
   4.8.6[11], 4.9.3[12], 5.0.2[13]) are available from our
   download server[14] and packages for several distributions are
   available from our repository[15].

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
file:///Users/otto/pdns/pdns/recursordist/html-docs/security-advisories/powerdns-advisory-2024-01.html#powerdns-security-advisory-2024-01-crafted-dnssec-records-in-a-zone-can-lead-to-a-denial-of-service-in-recursor
   2. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&amp;version=3.1
   3. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.6
   4. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.3
   5. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.2
   6. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   7. https://github.com/PowerDNS/pdns/issues/new/choose
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.8.6.tar.bz2
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.9.3.tar.bz2
  10. https://downloads.powerdns.com/releases/pdns-recursor-5.0.2.tar.bz2
  11. https://downloads.powerdns.com/releases/pdns-recursor-4.8.6.tar.bz2.sig
  12. https://downloads.powerdns.com/releases/pdns-recursor-4.9.3.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/pdns-recursor-5.0.2.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/
  15. https://repo.powerdns.com/

-- 

kind regards,
Otto Moerbeek
Senior Developer PowerDNS 

Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerbeek () open-xchange com

-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366 
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin 
Chairman of the Board: Richard Seibt 
 
PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-------------------------------------------------------------------------------------
Attachment:
signature.asc
Description: 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor Otto Moerbeek (Feb 14)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->