Arch Linux Security Advisory ASA-201811-13 ========================================== Severity: Medium Date : 2018-11-12 CVE-ID : CVE-2018-10851 CVE-2018-14626 CVE-2018-14644 Package : powerdns-recursor Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-805 Summary ======= The package powerdns-recursor before version 4.1.5-1 is vulnerable to denial of service. Resolution ========== Upgrade to 4.1.5-1. # pacman -Syu "powerdns-recursor>=4.1.5-1" The problems have been fixed upstream in version 4.1.5. Workaround ========== None. Description =========== - CVE-2018-10851 (denial of service) An issue has been found in PowerDNS Authoritative Server before 4.1.5 and PowerDNS Recursor before 4.1.5. The issue is due to the fact that some memory is allocated before the parsing and is not always properly released if the record is malformed. In the authoritative server case, it allows an authorized user to cause a memory leak by inserting a specially crafted record in a zone under their control, then sending a DNS query for that record. In the case of the recursor, it allows a malicious authoritative server to cause a memory leak by sending specially crafted records. - CVE-2018-14626 (denial of service) An issue has been found in PowerDNS Authoritative Server before 4.1.5 and PowerDNS Recursor before 4.1.5, allowing a remote user to craft a DNS query that will cause an answer without DNSSEC records to be inserted into the packet cache and be returned to clients asking for DNSSEC records, thus hiding the presence of DNSSEC signatures for a specific qname and qtype. For a DNSSEC-signed domain, this means that DNSSEC validating clients will consider the answer to be bogus until it expires from the packet cache, leading to a denial of service. - CVE-2018-14644 (denial of service) An issue has been found in PowerDNS Recursor before 4.1.5 where a remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail. Impact ====== A remote attacker authorized to send queries can force the recursor to serve answers without DNSSEC-related records to DNSSEC-enabled queries, or can trick the recursor into thinking an authoritative server does not handle EDNS correctly, causing validation failures. A remote attacker authorized to send queries and controlling a malicious authoritative server can crash the recursor by making it send queries to their server then replying with crafted answers. References ========== https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html https://security.archlinux.org/CVE-2018-10851 https://security.archlinux.org/CVE-2018-14626 https://security.archlinux.org/CVE-2018-14644