Arch Linux Security Advisory ASA-201701-30 ========================================== Severity: Medium Date : 2017-01-19 CVE-ID : CVE-2016-7068 CVE-2016-7073 CVE-2016-7074 Package : powerdns-recursor Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-148 Summary ======= The package powerdns-recursor before version 4.0.4-1 is vulnerable to multiple issues including denial of service and insufficient validation. Resolution ========== Upgrade to 4.0.4-1. # pacman -Syu "powerdns-recursor>=4.0.4-1" The problems have been fixed upstream in version 4.0.4. Workaround ========== None. Description =========== - CVE-2016-7068 (denial of service) An issue has been found in PowerDNS allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour. - CVE-2016-7073 (insufficient validation) An issue has been found in PowerDNS Authoritative Server and PowerDNS Recursor allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check of the TSIG time and fudge values in AXFRRetriever, leading to a possible replay attack. - CVE-2016-7074 (insufficient validation) An issue has been found in PowerDNS Authoritative Server and PowerDNS Recursor allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature. Impact ====== A remote attacker is able to perform a denial of service attack or bypass certain verification possibly leading to a replay attack. References ========== http://seclists.org/oss-sec/2017/q1/97 https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://security.archlinux.org/CVE-2016-7068 https://security.archlinux.org/CVE-2016-7073 https://security.archlinux.org/CVE-2016-7074