Arch Linux Security Advisory ASA-201811-13
=========================================
Severity: Medium
Date    : 2018-11-12
CVE-ID  : CVE-2018-10851 CVE-2018-14626 CVE-2018-14644
Package : powerdns-recursor
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-805

Summary
======
The package powerdns-recursor before version 4.1.5-1 is vulnerable to
denial of service.

Resolution
=========
Upgrade to 4.1.5-1.

# pacman -Syu "powerdns-recursor>=4.1.5-1"

The problems have been fixed upstream in version 4.1.5.

Workaround
=========
None.

Description
==========
- CVE-2018-10851 (denial of service)

An issue has been found in PowerDNS Authoritative Server before 4.1.5
and PowerDNS Recursor before 4.1.5. The issue is due to the fact that
some memory is allocated before the parsing and is not always properly
released if the record is malformed.
In the authoritative server case, it allows an authorized user to cause
a memory leak by inserting a specially crafted record in a zone under
their control, then sending a DNS query for that record. In the case of
the recursor, it allows a malicious authoritative server to cause a
memory leak by sending specially crafted records.

- CVE-2018-14626 (denial of service)

An issue has been found in PowerDNS Authoritative Server before 4.1.5
and PowerDNS Recursor before 4.1.5, allowing a remote user to craft a
DNS query that will cause an answer without DNSSEC records to be
inserted into the packet cache and be returned to clients asking for
DNSSEC records, thus hiding the presence of DNSSEC signatures for a
specific qname and qtype. For a DNSSEC-signed domain, this means that
DNSSEC validating clients will consider the answer to be bogus until it
expires from the packet cache, leading to a denial of service.

- CVE-2018-14644 (denial of service)

An issue has been found in PowerDNS Recursor before 4.1.5 where a
remote attacker sending a DNS query for a meta-type like OPT can lead
to a zone being wrongly cached as failing DNSSEC validation. It only
arises if the parent zone is signed, and all the authoritative servers
for that parent zone answer with FORMERR to a query for at least one of
the meta-types. As a result, subsequent queries from clients requesting
DNSSEC validation will be answered with a ServFail.

Impact
=====
A remote attacker authorized to send queries can force the recursor to
serve answers without DNSSEC-related records to DNSSEC-enabled queries,
or can trick the recursor into thinking an authoritative server does
not handle EDNS correctly, causing validation failures. A remote
attacker authorized to send queries and controlling a malicious
authoritative server can crash the recursor by making it send queries
to their server then replying with crafted answers.

References
=========
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html
https://security.archlinux.org/CVE-2018-10851
https://security.archlinux.org/CVE-2018-14626
https://security.archlinux.org/CVE-2018-14644

ArchLinux: 201811-13: powerdns-recursor: denial of service

November 13, 2018

Summary

- CVE-2018-10851 (denial of service) An issue has been found in PowerDNS Authoritative Server before 4.1.5 and PowerDNS Recursor before 4.1.5. The issue is due to the fact that some memory is allocated before the parsing and is not always properly released if the record is malformed. In the authoritative server case, it allows an authorized user to cause a memory leak by inserting a specially crafted record in a zone under their control, then sending a DNS query for that record. In the case of the recursor, it allows a malicious authoritative server to cause a memory leak by sending specially crafted records.
- CVE-2018-14626 (denial of service)
An issue has been found in PowerDNS Authoritative Server before 4.1.5 and PowerDNS Recursor before 4.1.5, allowing a remote user to craft a DNS query that will cause an answer without DNSSEC records to be inserted into the packet cache and be returned to clients asking for DNSSEC records, thus hiding the presence of DNSSEC signatures for a specific qname and qtype. For a DNSSEC-signed domain, this means that DNSSEC validating clients will consider the answer to be bogus until it expires from the packet cache, leading to a denial of service.
- CVE-2018-14644 (denial of service)
An issue has been found in PowerDNS Recursor before 4.1.5 where a remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail.

Resolution

Upgrade to 4.1.5-1. # pacman -Syu "powerdns-recursor>=4.1.5-1"
The problems have been fixed upstream in version 4.1.5.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html https://security.archlinux.org/CVE-2018-10851 https://security.archlinux.org/CVE-2018-14626 https://security.archlinux.org/CVE-2018-14644

Severity
Package : powerdns-recursor
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-805

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved