Hi all, Thanks a lot for the Advisory.
I have 5 of the affected Authoritatives with version 3.4.7. Before to update the version up to 3.4.10 or 4, I'd like to protect them with dnsdist, but the QNameWireLengthRule and QNameLabelsCountRule has been added on last dnsdist version 1.1.0-beta1, and we have 1.0.0. There is any way to be protected using dnsdist v 1.0.0 ... at least during the weekend before the proper updates I will on next week? Thanks! Ale. -----Original Message----- From: Pdns-users [mailto:[email protected]] On Behalf Of Remi Gacogne Sent: viernes, 9 de septiembre de 2016 14:32 To: [email protected] Subject: [Pdns-users] PowerDNS Security Announcement 2016-01 Hi All, Two security issues of medium severity have been reported to us by Florian Heinz and Martin Kluge in PowerDNS Authoritative Server <= 3.4.9. We released PowerDNS Authoritative 3.4.10 a week ago, fixing both issues. PowerDNS Authoritative 4.0.x and PowerDNS Recursor are not affected. The corresponding security advisory is provided below, and can also be found at https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/. PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected backend load CVE: CVE-2016-5426, CVE-2016-5427 Date: 9th of September 2016 Credit: Florian Heinz and Martin Kluge Affects: PowerDNS Authoritative Server up to and including 3.4.9 Not affected: PowerDNS Authoritative Server 3.4.10, 4.x Severity: Medium Impact: Degraded service or Denial of service Exploit: This problem can be triggered by sending specially crafted query packets Risk of system compromise: No Solution: Upgrade to a non-affected version Workaround: Run dnsdist with the rules provided below in front of potentially affected servers, or dimension the backend capacity so that it can handle the increased load. Two issues have been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause an abnormal load on the PowerDNS backend by sending crafted DNS queries, which might result in a partial denial of service if the backend becomes overloaded. SQL backends for example are particularly vulnerable to this kind of unexpected load if they have not been dimensioned for it. The first issue is based on the fact that PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes. This issue has been assigned CVE-2016-5426. The second issue is based on the fact that PowerDNS Authoritative Server does not properly handle dot inside labels. This issue has been assigned CVE-2016-5427. Both issues have been addressed by this commit: https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3 PowerDNS Authoritative Server up to and including 3.4.9 is affected. No other versions are affected. The PowerDNS Recursor is not affected. dnsdist can be used to block crafted queries, using QNameWireLengthRule() to block queries with a qname larger than 255 bytes and QNameLabelsCountRule() to block queries with a very large amount of labels. Please note that restricting the number of labels in a query might lead to unexpected issues, especially with DNSSEC-enabled domains. We'd like to thank Florian Heinz and Martin Kluge for finding and subsequently reporting this issue. -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
