Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Jun 2014 15:42:52 +0200
From: Vasyl Kaigorodov <vkaigoro@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: PowerDNS in default configuration is vulnerable to DoS
 attack

It was found [1] that in default configuration PowerDNS is allowed to
consume more file descriptors than is available for a default installation
of many Linux distributions.
Default configuration is: 2 threads / 2048 max-mthreads, which leads
to a theoretical FD consumption of 4096. Default FD limit on many
distributions is 1024.
This can potentially lead to the DoS attack.

Workaround (from [1]):

- Reduce max-mthreads to 512 (or threads to 1 and max-mthreads to
1024) (max-mthreads was introduced in Recursor 3.2; but if you are
running a version that old, please upgrade it!)
- Run ‘ulimit -n 32768′ before starting (perhaps put this in
/etc/init.d/ script). There’s little reason to skip on this number.
- Investigate defaults in /etc/security/limits.conf

Patch is available at [2]

[1]: http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/
[2]: https://github.com/Habbie/pdns/commit/e24b124a4c7b49f38ff8bcf6926cd69077d16ad8

References:

https://bugs.mageia.org/show_bug.cgi?id=13521
https://bugzilla.redhat.com/show_bug.cgi?id=1109231

Can a CVE please be assigned if one has not been already?

Thanks.
-- 
Vasyl Kaigorodov | Red Hat Product Security Team
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.