===================================================================== CERT-Renater Note d'Information No. 2022/VULN272 _____________________________________________________________________ DATE : 23/08/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PowerDNS Recursor versions prior to 4.5.10, 4.6.3, 4.7.2. ===================================================================== https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-02.html _____________________________________________________________________ PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation CVE: CVE-2022-37428 Date: 23th of August 2022. Affects: PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1 Not affected: PowerDNS Recursor 4.5.10, 4.6.3 and 4.7.2 Severity: Medium Impact: Denial of service Exploit: This problem can be triggered by a remote attacker with access to the recursor if protobuf logging is enabled Risk of system compromise: None Solution: Upgrade to patched version, disable protobuf logging of responses This issue only affects recursors which have protobuf logging enabled using the protobufServer function with logResponses=true or outgoingProtobufServer function with logResponses=true If either of these functions is used without specifying logResponses, its value is true. An attacker needs to have access to the recursor, i.e. the remote IP must be in the access control list. If an attacker queries a name that leads to an answer with specific properties, a protobuf message might be generated that causes an exception. The code does not handle this exception correctly, causing a denial of service. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================