Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 12 Dec 2014 15:33:57 +0100
From: Peter van Dijk <peter.van.dijk@...herlabs.nl>
To: pdns-announce@...lman.powerdns.com,
 pdns-dev@...lman.powerdns.com,
 pdns-users Users <pdns-users@...lman.powerdns.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: PowerDNS Security Advisory 2014-02

Hi everybody,

today, ANSSI has released their report on the issue. You can find it at http://www.ssi.gouv.fr/en/the-anssi/events/vulnerabilty-disclosure-the-infinitely-delegating-name-servers-idns-attack.html

Based on this, we realise our original announcement was missing one detail. The following text has been added to it:

=======
Note that in addition to providing bad service, this issue can be abused to send unwanted traffic to an unwilling third party. Please see ANSSI's report for more information.
=======

So, please update your Recursors, even if you only have a limited set of users - your machines may still be abused to DDoS unwilling third parties.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

On 08 Dec 2014, at 17:00 , Peter van Dijk <peter.van.dijk@...herlabs.nl> wrote:

> Hi everybody,
> 
> Please be aware of PowerDNS Security Advisory 2014-02
> (http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/), which you
> can also find below.  The good news is that the currently released version of the
> PowerDNS Recursor is safe.  The bad news is that users of older versions
> will have to upgrade.
> 
> PowerDNS Recursor 3.6.2, released late October, is in wide production use
> and has been working well for our users.  If however you have reasons not to
> upgrade, the advisory below contains a link to a patch which applies to
> older versions.
> 
> Finally, if you have problems upgrading, please either contact us on our
> mailing lists, or privately via powerdns.support@...erdns.com (should you
> wish to make use of our SLA-backed support program).
> 
> We want to thank Florian Maury of French government information security
> agency ANSSI for bringing this issue to our attention and coordinating the
> security release with us and other nameserver vendors.
> 
> ## PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
> 
> * CVE: CVE-2014-8601
> * Date: 8th of December 2014
> * Credit: Florian Maury ([ANSSI](http://www.ssi.gouv.fr/en/))
> * Affects: PowerDNS Recursor versions 3.6.1 and earlier
> * Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS Authoritative Server
> * Severity: High
> * Impact: Degraded service
> * Exploit: This problem can be triggered by sending queries for specifically configured domains
> * Risk of system compromise: No
> * Solution: Upgrade to PowerDNS Recursor 3.6.2
> * Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
> 
> Recently we released PowerDNS Recursor 3.6.2 with a new feature that
> strictly limits the amount of work we'll perform to resolve a single query.
> This feature was inspired by performance degradations noted when resolving
> domains hosted by 'ezdns.it', which can require thousands of queries to
> resolve.
> 
> During the 3.6.2 release process, we were contacted by a government security
> agency with news that they had found that all major caching nameservers,
> including PowerDNS, could be negatively impacted by specially configured,
> hard to resolve domain names. With their permission, we continued the 3.6.2
> release process with the fix for the issue already in there.
> 
> We recommend that all users upgrade to 3.6.2 if at all possible. Alternatively,
> if you want to apply a minimal fix to your own tree, it can be found
> [here](https://downloads.powerdns.com/patches/2014-02/), including patches for older versions.
> 
> As for workarounds, only clients in allow-from are able to trigger the
> degraded service, so this should be limited to your userbase.



Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.