Arch Linux Security Advisory ASA-201711-31 ========================================== Severity: Medium Date : 2017-11-27 CVE-ID : CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 Package : powerdns-recursor Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-520 Summary ======= The package powerdns-recursor before version 4.0.7-1 is vulnerable to multiple issues including cross-site scripting, denial of service and insufficient validation. Resolution ========== Upgrade to 4.0.7-1. # pacman -Syu "powerdns-recursor>=4.0.7-1" The problems have been fixed upstream in version 4.0.7. Workaround ========== It is possible to work around CVE-2017-15093 by disabling the ability to alter the configuration via the API by setting 'api-config-dir' to an empty value (default), or by marking the API read-only via the 'api- readonly' setting. Description =========== - CVE-2017-15090 (insufficient validation) An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 up to and including 4.0.5, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records. - CVE-2017-15092 (cross-site scripting) An issue has been found in the web interface of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content. - CVE-2017-15093 (insufficient validation) An issue has been found in the API of PowerDNS Recursor < 4.0.7, during a source code audit by Nixu. When 'api-config-dir' is set to a non- empty value, which is not the case by default, the API allows an authorized user to update the Recursor’s ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor’s configuration. - CVE-2017-15094 (denial of service) An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, during a code audit by Nixu, leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting 'dnssec' to a value other than 'off' or 'process-no-validate' (default). Impact ====== A remote, unauthenticated attacker can inject Javascript code into the web interface, or can cause a denial of service via crafted DNSSEC signatures. An attacker in position of man-in-the-middle can also bypass DNSSEC validation via a crafted signature. In addition to that, a remote authenticated attacker with access to the API can inject unexpected directives into the configuration file. References ========== http://seclists.org/oss-sec/2017/q4/329 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://github.com/PowerDNS/pdns/commit/9aed598c9a0a8f9b3a2a9c2310023d56c4a26ef8 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://github.com/PowerDNS/pdns/commit/fd30387c26144cda3a5ab50c3946635bec1020b7 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://github.com/PowerDNS/pdns/commit/badf9e8900428f21585f7f929aeddc87cd0d2069 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html https://github.com/PowerDNS/pdns/commit/e87fe3987ab9a3b900544a0fc3bcf41068eef92a https://security.archlinux.org/CVE-2017-15090 https://security.archlinux.org/CVE-2017-15092 https://security.archlinux.org/CVE-2017-15093 https://security.archlinux.org/CVE-2017-15094