====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN285
_____________________________________________________________________

DATE                : 19/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PowerDNS versions 4 prior to 4.3.1,
                                         4.2.2, 4.1.16.

=====================================================================
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html
_____________________________________________________________________


PowerDNS Security Advisory 2020-01: Denial of Service

    CVE: CVE-2020-10995
    Date: May 19th 2020
    Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
    Not affected: 4.1.16, 4.2.2, 4.3.1
    Severity: Medium
    Impact: Degraded Service
    Exploit: This problem can be triggered via a crafted reply
    Risk of system compromise: No
    Solution: Upgrade to a non-affected version
    Workaround: None

An issue in the DNS protocol has been found that allow malicious parties
to use recursive DNS services to attack third party authoritative name
servers. The attack uses a crafted reply by an authoritative name server
to amplify the resulting traffic between the recursive and other
authoritative name servers. Both types of service can suffer degraded
performance as an effect.

This issue has been assigned CVE-2020-10995.

PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected.
PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit
the impact of this DNS protocol issue.

Please note that at the time of writing, PowerDNS Recursor 4.0 and below
are no longer supported, as described in
https://doc.powerdns.com/recursor/appendices/EOL.html.

We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr
for finding and subsequently reporting this issue!


_____________________________________________________________________


PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC
signatures

    CVE: CVE-2020-12244
    Date: May 19th 2020
    Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
    Not affected: 4.3.1, 4.2.2, 4.1.16
    Severity: Medium
    Impact: Denial of existence spoofing
    Exploit: This problem can be triggered by an attacker in position of
man-in-the-middle
    Risk of system compromise: No
    Solution: Upgrade to a non-affected version
    Workaround: None

An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where
records in the answer section of a NXDOMAIN response lacking an SOA were
not properly validated in SyncRes::processAnswer. This would allow an
attacker in position of man-in-the-middle to send a NXDOMAIN answer for
a name that does exist, bypassing DNSSEC validation.

This issue has been assigned CVE-2020-12244.

PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected.

Please note that at the time of writing, PowerDNS Authoritative 4.0 and
below are no longer supported, as described in
https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank Matt Nordhoff for finding and subsequently
reporting this issue!


_____________________________________________________________________


PowerDNS Security Advisory 2020-03: Information disclosure

    CVE: CVE-2020-10030
    Date: May 19th 2020
    Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
    Not affected: 4.3.1, 4.2.2, 4.1.16
    Severity: Low
    Impact: Information Disclosure, Denial of Service
    Exploit: This problem can be triggered via a crafted hostname
    Risk of system compromise: No
    Solution: Upgrade to a non-affected version
    Workaround: None

An issue has been found in PowerDNS Authoritative Server allowing an
attacker with enough privileges to change the system’s hostname to cause
disclosure of uninitialized memory content via a stack-based out-of-
bounds read. It only occurs on systems where gethostname() does not
null-terminate the returned string if the hostname is larger than the
supplied buffer. Linux systems are not affected because the buffer is
always large enough. OpenBSD systems are not affected because the
returned hostname is always null-terminated. Under some conditions this
issue can lead to the writing of one null-byte out-of-bounds on the
stack, causing a denial of service or possibly arbitrary code execution.

This issue has been assigned CVE-2020-10030.

PowPowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected.

Please note that at the time of writing, PowerDNS Authoritative 4.0 and
below are no longer supported, as described in
https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank Valentei Sergey for finding and subsequently
reporting this issue!


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================