==================================================================== CERT-Renater Note d'Information No. 2020/VULN534 _____________________________________________________________________ DATE : 24/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PowerDNS versions prior to 4.4.0, 4.3.1, 4.2.3, 4.1.14. ===================================================================== https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html _____________________________________________________________________ PowerDNS Security Advisory 2020-05: Leaking uninitialised memory through crafted zone records CVE: CVE-2020-17482 Date: September 22nd, 2020 Affects: PowerDNS Authoritative 4.3.0 and earlier Not affected: 4.3.1 and up, 4.2.3 and up, 4.1.14 and up Severity: Low Impact: Information leak Exploit: This problem can be triggered via crafted records by an authorized user Risk of system compromise: Low Solution: Upgrade to a fixed version Workaround: Do not take zone data from untrusted users An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR. This issue has been assigned CVE-2020-17482. PowerDNS Authoritative up to and including version 4.3.0 are affected. Please note that at the time of writing, PowerDNS Authoritative 4.0 and below are no longer supported, as described in https://doc.powerdns.com /authoritative/appendices/EOL.html. We would like to thank Nathaniel Ferguson for finding and subsequently reporting this issue! _____________________________________________________________________ PowerDNS Security Advisory 2020-06: Various issues in our GSS-TSIG support CVE: CVE-2020-24696, CVE-2020-24697, CVE-2020-24698 Date: September 22nd, 2020 Affects: PowerDNS Authoritative versions before 4.4.0, when compiled with –enable-experimental-gss-tsig Not affected: 4.4.0 and up, and any version compiled without GSS-TSIG support Severity: Low Impact: Crashes, Information Leaks, Possible code execution Exploit: This problem can be triggered via crafted packets Risk of system compromise: Low Solution: Do not use software built with GSS-TSIG support Various issues have been found in our GSS-TSIG support, where an unauthorized attacker could cause crashes, possibly leak uninitialised memory, and possibly execute arbitrary code. These issues have been assigned: CVE-2020-24696: A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature. CVE-2020-24697: A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature. CVE-2020-24698: A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature. All PowerDNS Authoritative versions are affected, but only if they have been compiled with --enable-experimental-gss-tsig. We have never published packages with the feature enabled. Because of the various issues with the feature (including a complete lack of testing code around it), and no reports of production usage of GSS-TSIG, we have decided to remove the relevant code completely in PowerDNS Authoritative 4.4.0. Users of earlier versions that rely on the feature can keep doing so until they upgrade to 4.4.0, but need to be aware of these issues. We would like to thank Nathaniel Ferguson for finding and subsequently reporting these issues! ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================