Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN266

_____________________________________________________________________

DATE                : 29/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PowerDNS DNSdist versions
                           prior to 1.9.9.

=====================================================================
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html
_____________________________________________________________________


PowerDNS Security Advisory 2025-02 for DNSdist: Denial of service
via crafted DoH exchange

    CVE: CVE-2025-30194
    Date: 2025-04-29T12:00:00+02:00
    Discovery date: 2025-04-25T21:55:00+02:00
    Affects: PowerDNS DNSdist from 1.9.0 up to 1.9.8
    Not affected: PowerDNS DNSdist 1.9.9 and versions before 1.9.0
    Severity: High
    Impact: Denial of service
    Exploit: This problem can be triggered by an attacker crafting
a DoH exchange
    Risk of system compromise: None
    Solution: Upgrade to patched version or temporarily switch to
the h2o provider
    CWE: CWE-416
    CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Last affected: 1.9.8
    First fixed: 1.9.9
    Internal ID: 297

When DNSdist is configured to provide DoH via the nghttp2 provider,
an attacker can cause a denial of service by crafting a DoH exchange
that triggers an illegal memory access (double-free) and crash of
DNSdist, causing a denial of service.

CVSS Score: 7.5, only for configurations where incoming DoH is enabled
via the nghttp2 provider.

The remedy is: upgrade to the patched 1.9.9 version.

A workaround is to temporarily switch to the h2o provider until
DNSdist has been upgraded to a fixed version.

We would like to thank Charles Howes for bringing this issue to
our attention.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================