Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 4 Apr 2023 13:38:30 +0200 (CEST)
From: Otto Moerbeek <otto.moerbeek@...erdns.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can
 lead to authoritative servers being marked unavailable

Hello,

   We have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to
   a low severity security issue found.

   Please find the full text of the advisory below.

   The [1]4.6, [2]4.7 and [3]4.8 changelogs are available.

   The  [4]4.6.6  ([5]signature), [6]4.7.5 ([7]signature) and
   [8]4.8.4 ([9]signature) tarballs are available from our download
   [10]server. Patches are available at [11]patches. Packages for various
   distributions are available from our [12]repository.

   Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
   Consult the [13]EOL policy for more details.
     __________________________________________________________________

PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to
authoritative servers being marked unavailable

     * CVE: CVE-2023-26437
     * Date: 29th of March 2023
     * Affects: PowerDNS Recursor up to and including 4.6.5, 4.7.4 and
       4.8.3
     * Not affected: PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4
     * Severity: Low
     * Impact: Denial of service
     * Exploit: Successful spoofing may lead to authoritative servers
       being marked unavailable
     * Risk of system compromise: None
     * Solution: Upgrade to patched version

   When the recursor detects and deters a spoofing attempt or receives certain malformed DNS
   packets, it throttles the server that was the target of the impersonation attempt so that other
   authoritative servers for the same zone will be more likely to be used in the future, in case the
   attacker controls the path to one server only. Unfortunately this mechanism can be used by an
   attacker with the ability to send queries to the recursor, guess the correct source port of the
   corresponding outgoing query and inject packets with a spoofed IP address to force the recursor
   to mark specific authoritative servers as not available, leading a denial of service for the
   zones served by those servers.

   CVSS 3.0 score: 3.7 (Low)
   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/
   S:C/C:N/I:N/A:L

   Thanks to Xiang Li from Network and Information Security Laboratory,
   Tsinghua University for reporting this issue.

References

   1. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.6.6
   2. https://docs.powerdns.com/recursor/changelog/4.7.html#change-4.7.5
   3. https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.4
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.6.6.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.6.6.tar.bz2.sig
   6. https://downloads.powerdns.com/releases/pdns-recursor-4.7.5.tar.bz2
   7. https://downloads.powerdns.com/releases/pdns-recursor-4.7.5.tar.bz2.sig
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.8.4.tar.bz2
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.8.4.tar.bz2.sig
  10. https://downloads.powerdns.com/releases/
  11. https://downloads.powerdns.com/patches/2023-01/
  12. https://repo.powerdns.com/
  13. https://docs.powerdns.com/recursor/appendices/EOL.html

--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerbeek@...n-xchange.com


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------

Download attachment "signature.asc" of type "application/pgp-signature" (476 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.