Re: [Pdns-announce] PowerDNS Security Advisory 2015-01

["Peter van Dijk" <peter.van.dijk () powerdns com>]

Hi everybody,

Last week, we released Security Advisory 2015-01 (https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), 
with text suggesting that only specific platforms were seriously affected. We must now report that this was incorrect: 
all platforms are impacted. The advisory has been updated to that effect.

Furthermore, by popular demand, we have released Authoritative Server 3.3.2, an update to version 3.3.1 which includes 
DNSSEC improvements and of course a patch for the security issue. Please see 
http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ for links.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

On 23 Apr 2015, at 13:05, Peter van Dijk wrote:

> Hi everybody,
>
> Please be aware of PowerDNS Security Advisory 2015-01
> (http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), which you
> can also find below. The good news is that as far as we have seen, only
> specific builds for RHEL5 are affected, but just to be sure we are doing
> full releases of all recent versions of our products.
>
> Packages and distribution tar balls of Recursor 3.6.3, Recursor 3.7.2 and Auth
> 3.4.4 are available in the usual places, and release announcements will be sent
> out right after this email.
>
> If you prefer a minimal patch, please go to
> https://downloads.powerdns.com/patches/2015-01/ and see README.txt there.
>
> If you have problems upgrading, please either contact us on our mailing lists,
> or privately via powerdns.support () powerdns com (should you wish to make use of
> our SLA-backed support program).
>
> We want to thank Aki Tuomi for finding this issue, and really digging into it.
> We also want to thank Kees Monshouwer for assisting in debugging and fixing
> the offending code. Finally we want to thank Kai Storbeck for putting an
> earlier, broken version of the patch into production and being understanding
> about the names that broke because of it.
>
>
> PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes
> on specific platforms
>
>   * CVE: CVE-2015-1868
>   * Date: 23rd of April 2015
>   * Credit: Aki Tuomi
>   * Affects: PowerDNS Recursor versions 3.5 and up; Authoritative
>     Server 3.2 and up
>   * Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4
>   * Severity: High
>   * Impact: Degraded service
>   * Exploit: This problem can be triggered by sending queries for
>     specifically configured domains
>   * Risk of system compromise: No
>   * Solution: Upgrade to any of the non-affected versions
>   * Workaround: Run your Recursor under a supervisor. Exposure can be
>     limited by configuring the allow-from setting so only trusted
>     users can query your nameserver.
>
> A bug was discovered in our label decompression code, making it
> possible for names to refer to themselves, thus causing a loop during
> decompression. This loop is capped at a 1000 iterations by a failsafe,
> making the issue harmless on most platforms.
>
> However, on specific platforms (so far, we are only aware of this
> happening on RHEL5/CentOS5), the recursion involved in these 1000 steps
> causes memory corruption leading to a quick crash, presumably because
> the default stack is too small.
>
> We recommend that all users upgrade to a corrected version if at all
> possible. Alternatively, if you want to apply a minimal fix to your own
> tree, please find patches here: https://downloads.powerdns.com/patches/2015-01/
>
> These should be trivial to backport to older versions by hand.
>
> As for workarounds, only clients in allow-from are able to trigger the
> degraded service, so this should be limited to your userbase; further,
> we recommend running your critical services under supervision such as
> systemd, supervisord, daemontools, etc.
>
> We want to thank Aki Tuomi for noticing this in production, and then
> digging until he got to the absolute bottom of what at the time
> appeared to be a random and spurious failure.
>
> _______________________________________________
> Pdns-announce mailing list
> Pdns-announce () mailman powerdns com
> http://mailman.powerdns.com/mailman/listinfo/pdns-announce

Attachment: signature.asc
Description: OpenPGP digital signature