Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
PowerDNS Security Advisory 2019-03
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Erik Winkels <erik.winkels () open-xchange com>
Date: Mon, 18 Mar 2019 22:45:09 +0100 (CET)
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi all,
Today we released PowerDNS Authoritative Server 4.1.7 and 4.0.7, fixing an important security issue in the HTTP remote
backend that has recently been reported to us [1].
The issue is that PowerDNS Authoritative Server, when the HTTP remote backend is used in RESTful mode (without post=1
set), can be tricked by a remote user into connecting to an attacker-specified HTTP server instead of the configured
one, via a crafted DNS query.
This can be used to cause a denial of service by preventing the remote backend from getting a response, content
spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server
instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal
servers.
This issue has been assigned CVE-2019-3871.
PowerDNS Authoritative up to and including 4.1.6 is affected.
Please note that at the time of writing, PowerDNS Authoritative 3.4 and below are no longer supported, as described in
[2].
The full security advisory is provided below, and can also be found at [3].
We would like to thank Adam Dobrawy, Frederico Silva and GregoryBrzeski from HyperOne.com for finding and subsequently
reporting this issue!
Minimal patches are available at [4].
[1]: https://github.com/PowerDNS/pdns/issues/7573
[2]: https://doc.powerdns.com/authoritative/appendices/EOL.html
[3]: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
[4]: https://downloads.powerdns.com/patches/2019-03/
Best regards,
Erik Winkels
PowerDNS Security Advisory 2019-03: Insufficient validation in the HTTP remote backend
======================================================================================
- CVE: CVE-2019-3871
- Date: March 18th 2019
- Affects: PowerDNS Authoritative up to and including 4.1.6
- Not affected: 4.1.7, 4.0.7
- Severity: High
- Impact: Denial of Service, Information Disclosure, Content spoofing
- Exploit: This problem can be triggered via crafted queries
- Risk of system compromise: No
- Solution: Upgrade to a non-affected version
An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode (without
post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the
configured one, via a crafted DNS query.
This can be used to cause a denial of service by preventing the remote backend from getting a response, content
spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server
instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal
servers.
This issue has been assigned CVE-2019-3871.
PowerDNS Authoritative up to and including 4.1.6 is affected.
Please note that at the time of writing, PowerDNS Authoritative 3.4 and below are no longer supported, as described in
https://doc.powerdns.com/authoritative/appendices/EOL.html .
We would like to thank Adam Dobrawy, Frederico Silva and Gregory Brzeski from HyperOne.com for finding and subsequently
reporting this issue!
Attachment:
signature.asc
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
PowerDNS Security Advisory 2019-03 Erik Winkels (Mar 18)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->