Re: PowerDNS Security Advisory 2014-02

[Peter van Dijk <peter.van.dijk () netherlabs nl>]

Hi everybody,

today, ANSSI has released their report on the issue. You can find it at 
http://www.ssi.gouv.fr/en/the-anssi/events/vulnerabilty-disclosure-the-infinitely-delegating-name-servers-idns-attack.html

Based on this, we realise our original announcement was missing one detail. The following text has been added to it:

=======
Note that in addition to providing bad service, this issue can be abused to send unwanted traffic to an unwilling third 
party. Please see ANSSI's report for more information.
=======

So, please update your Recursors, even if you only have a limited set of users - your machines may still be abused to 
DDoS unwilling third parties.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

On 08 Dec 2014, at 17:00 , Peter van Dijk <peter.van.dijk () netherlabs nl> wrote:

> Hi everybody,
>
> Please be aware of PowerDNS Security Advisory 2014-02
> (http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/), which you
> can also find below.  The good news is that the currently released version of the
> PowerDNS Recursor is safe.  The bad news is that users of older versions
> will have to upgrade.
>
> PowerDNS Recursor 3.6.2, released late October, is in wide production use
> and has been working well for our users.  If however you have reasons not to
> upgrade, the advisory below contains a link to a patch which applies to
> older versions.
>
> Finally, if you have problems upgrading, please either contact us on our
> mailing lists, or privately via powerdns.support () powerdns com (should you
> wish to make use of our SLA-backed support program).
>
> We want to thank Florian Maury of French government information security
> agency ANSSI for bringing this issue to our attention and coordinating the
> security release with us and other nameserver vendors.
>
> ## PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
>
> * CVE: CVE-2014-8601
> * Date: 8th of December 2014
> * Credit: Florian Maury ([ANSSI](http://www.ssi.gouv.fr/en/))
> * Affects: PowerDNS Recursor versions 3.6.1 and earlier
> * Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS Authoritative Server
> * Severity: High
> * Impact: Degraded service
> * Exploit: This problem can be triggered by sending queries for specifically configured domains
> * Risk of system compromise: No
> * Solution: Upgrade to PowerDNS Recursor 3.6.2
> * Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can 
> query your nameserver.
>
> Recently we released PowerDNS Recursor 3.6.2 with a new feature that
> strictly limits the amount of work we'll perform to resolve a single query.
> This feature was inspired by performance degradations noted when resolving
> domains hosted by 'ezdns.it', which can require thousands of queries to
> resolve.
>
> During the 3.6.2 release process, we were contacted by a government security
> agency with news that they had found that all major caching nameservers,
> including PowerDNS, could be negatively impacted by specially configured,
> hard to resolve domain names. With their permission, we continued the 3.6.2
> release process with the fix for the issue already in there.
>
> We recommend that all users upgrade to 3.6.2 if at all possible. Alternatively,
> if you want to apply a minimal fix to your own tree, it can be found
> [here](https://downloads.powerdns.com/patches/2014-02/), including patches for older versions.
>
> As for workarounds, only clients in allow-from are able to trigger the
> degraded service, so this should be limited to your userbase.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail