====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN033

_____________________________________________________________________

DATE                : 31/01/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PowerDNS versions 4.1.x prior to
                                    4.1.9.

=====================================================================
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html
_____________________________________________________________________

PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain
configurations

    CVE: CVE-2019-3806
    Date: 21st of January 2019
    Affects: PowerDNS Recursor from 4.1.4 up to and including 4.1.8
    Not affected: 4.0.x, 4.1.0 up to and including 4.1.3, 4.1.9
    Severity: Low
    Impact: Access restriction bypass
    Exploit: This problem can be triggered via TCP queries
    Risk of system compromise: No
    Solution: Upgrade to a non-affected version
    Workaround: Switch to pdns-distributes-queries=no

An issue has been found in PowerDNS Recursor where Lua hooks are not
properly applied to queries received over TCP in some specific
combination of settings, possibly bypassing security policies enforced
using Lua.

When the recursor is configured to run with more than one thread
(threads=X) and to do the distribution of incoming queries to the worker
threads itself (pdns-distributes-queries=yes), the Lua script is not
properly loaded in the thread handling incoming TCP queries, causing the
Lua hooks to not be properly applied.

This issue has been assigned CVE-2019-3806 by Red Hat.

PowerDNS Recursor from 4.1.4 up to and including 4.1.8 is affected.

_____________________________________________________________________

PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC
signatures

    CVE: CVE-2019-3807
    Date: 21st of January 2019
    Affects: PowerDNS Recursor from 4.1.0 up to and including 4.1.8
    Not affected: 4.0.x, 4.1.9
    Severity: Medium
    Impact: Insufficient validation
    Exploit: This problem can be triggered via crafted responses
    Risk of system compromise: No
    Solution: Upgrade to a non-affected version

An issue has been found in PowerDNS Recursor where records in the answer
section of responses received from authoritative servers with the AA
flag not set were not properly validated, allowing an attacker to bypass
DNSSEC validation.

This issue has been assigned CVE-2019-3807 by Red Hat.

PowerDNS Recursor from 4.1.0 up to and including 4.1.8 is affected.

We would like to thank Ralph Dolmans and George Thessalonikefs of
NLNetLabs for finding and subsequently reporting this issue!


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================