pdns-recursor: CVE-2023-26437: Deterred spoofing attempts can lead to authoritative servers being marked unavailable

Debian Bug report logs - #1033941
pdns-recursor: CVE-2023-26437: Deterred spoofing attempts can lead to authoritative servers being marked unavailable

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Hofstaedtler <zeha@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pdns-recursor: CVE-2023-26437: Deterred spoofing attempts can lead to authoritative servers being marked unavailable

Date: Tue, 04 Apr 2023 13:27:33 +0200

Source: pdns-recursor
Version: 4.8.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

The following vulnerability was published for pdns-recursor.

CVE-2023-26437:
| Deterred spoofing attempts can lead to authoritative servers being
| marked unavailable.
| When the recursor detects and deters a spoofing attempt or receives
| certain malformed DNS packets, it throttles the server that was the
| target of the impersonation attempt so that other authoritative servers
| for the same zone will be more likely to be used in the future, in case
| the attacker controls the path to one server only. Unfortunately this
| mechanism can be used by an attacker with the ability to send queries to
| the recursor, guess the correct source port of the corresponding
| outgoing query and inject packets with a spoofed IP address to force the
| recursor to mark specific authoritative servers as not available,
| leading a denial of service for the zones served by those servers.

Additional information:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html

Chris

PS: unclear to me if 4.4.x in stable is also affected.

Send a report that this bug log contains spam.