PowerDNS patches five security holes in widely used nameserver software

PowerDNS, the company behing the popular open source DNS software of the same name, has pushed out security updates and patches for its Authoritative Server and Recursor offerings that, among other things, fix five security vulnerabilities of note.

PowerDNS patches five security holes

“PowerDNS users and customers include leading telecommunications service providers, large scale integrators, Wikipedia, content distribution networks, cable networks / multi service operators and Fortune 500 software companies,” the company proclaims on their site.

“In various important markets, such as Scandinavia, Germany and The Netherlands, PowerDNS is the number one supplier of nameserver software.”

About the vulnerabilities

PowerDNS developer Remi Gacogne detailed the vulnerabilities in a post on the Open Source Security Mailing List (oss-sec), and pointed out each of them can be exploited only if the target has a specific configuration that is not enabled
by default.

The security issues, numbered sequentially CVE-2017-15090 to CVE-2017-15094, can’t lead to system compromise, but can be used to alter the content of records, cause Denial of Service, altering the content of web interfaces, change configurations, and lead to a memory leak.

CVE-2017-15091, they only vulnerability among them that affects the PowerDNS Authoritative server, can be triggered only by attackers who got their hands on valid API credentials.

CVE-2017-15090 can be exploited by attackers who have achieved a man-in-the-middle position to issue a valid signature for bogus DNSSEC records.

CVE-2017-15093 can also only be triggered by attackers with valid API credentials, allowing them to inject new configuration directives into the Recursor’s configuration.

The vulnerabilities have been flagged by Kees Monshouwer, everyman, Chris Navarrete of Fortinet’s Fortiguard Labs, and researchers from cybersecurity company Nixu (during a source code audit).

Risk arising from two of the flaws can be mitigated via workarounds, but implementing the updates (PowerDNS Authoritative 4.0.5 and Recursor 4.0.7) and patches (for the 3.4.11 and 3.7.4 releases) is the preferred solution.