==================================================================== CERT-Renater Note d'Information No. 2017/VULN366 _____________________________________________________________________ DATE : 28/11/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PowerDNS Authoritative Server versions prior to 3.4.11, 4.0.2, PowerDNS Recursor versions 4 prior to 4.0.4. ===================================================================== https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html _____________________________________________________________________ PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures CVE: CVE-2016-7073 CVE-2016-7074 Date: December 15th 2016 Credit: Mongo Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1, PowerDNS Recursor from 4.0.0 and up to and including 4.0.3 Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2, PowerDNS Recursor < 4.0.0, 4.0.4 Severity: Medium Impact: Zone content alteration Exploit: This problem can be triggered by an attacker in position of man-in-the-middle Risk of system compromise: No Solution: Upgrade to a non-affected version Two issues have been found in PowerDNS Authoritative Server allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. The first issue is a missing check of the TSIG time and fudge values in AXFRRetriever, leading to a possible replay attack. This issue has been assigned CVE-2016-7073. The second issue is a missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature. This issue has been assigned CVE-2016-7074. PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. PowerDNS Recursor from 4.0.0 up to and including 4.0.3 are affected. For those unable to upgrade to a new version, a minimal patch is available We would like to thank Mongo for finding and subsequently reporting this issue. _____________________________________________________________________ PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures CVE: CVE-2017-15090 Date: November 27th 2017 Credit: Kees Monshouwer Affects: PowerDNS Recursor from 4.0.0 and up to and including 4.0.6 Not affected: PowerDNS Recursor < 4.0.0, 4.0.7 Severity: Medium Impact: Records manipulation Exploit: This problem can be triggered by an attacker in position of man-in-the-middle Risk of system compromise: No Solution: Upgrade to a non-affected version An issue has been found in the DNSSEC validation component of PowerDNS Recursor, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records. This issue has been assigned CVE-2017-15090. PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected. For those unable to upgrade to a new version, a minimal patch is available We would like to thank Kees Monshouwer for finding and subsequently reporting this issue. _____________________________________________________________________ PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface CVE: CVE-2017-15092 Date: November 27th 2017 Credit: Nixu, Chris Navarrete of Fortinet’s Fortiguard Labs Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6 Not affected: PowerDNS Recursor 4.0.7, 3.7.x Severity: Medium Impact: Alteration and denial of service of the web interface Exploit: This problem can be triggered by an attacker sending DNS queries to the server Risk of system compromise: No Solution: Upgrade to a non-affected version An issue has been found in the web interface of PowerDNS Recursor, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content. This issue has been assigned CVE-2017-15092. PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected. For those unable to upgrade to a new version, a minimal patch is available We would like to thank Nixu and Chris Navarrete of Fortinet’s Fortiguard Labs for independently finding and reporting this issue. PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures PowerDNS Security Advisory 2017-06: Configuration file injection in the API _____________________________________________________________________ PowerDNS Security Advisory 2017-06: Configuration file injection in the API CVE: CVE-2017-15093 Date: November 27th 2017 Credit: Nixu Affects: PowerDNS Recursor up to and including 4.0.6, 3.7.4 Not affected: PowerDNS Recursor 4.0.7 Severity: Medium Impact: Alteration of configuration by an API user Exploit: This problem can be triggered by an attacker with valid API credentials Risk of system compromise: No Solution: Upgrade to a non-affected version Workaround: Disable the ability to alter the configuration via the API by setting api-config-dir to an empty value (default), or set the API read-only via the api-readonly setting. An issue has been found in the API of PowerDNS Recursor during a source code audit by Nixu. When api-config-dir is set to a non-empty value, which is not the case by default, the API allows an authorized user to update the Recursor’s ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor’s configuration. This issue has been assigned CVE-2017-15093. PowerDNS Recursor up to and including 4.0.6 and 3.7.4 are affected. For those unable to upgrade to a new version, a minimal patch is available We would like to thank Nixu for finding and subsequently reporting this issue. _____________________________________________________________________ PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing CVE: CVE-2017-15094 Date: November 27th 2017 Credit: Nixu Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6 Not affected: PowerDNS Recursor 4.0.7 Severity: Medium Impact: Denial of service Exploit: This problem can be triggered by an authoritative server sending crafted ECDSA DNSSEC keys to the Recursor. Risk of system compromise: No Solution: Upgrade to a non-affected version Workaround: Disable DNSSEC validation by setting the dnssec parameter to off or process-no-validate (default). An issue has been found in the DNSSEC parsing code of PowerDNS Recursor during a code audit by Nixu, leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default). This issue has been assigned CVE-2017-15094. PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected. For those unable to upgrade to a new version, a minimal patch is available We would like to thank Nixu for finding and subsequently reporting this issue. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================