PowerDNS
Dear PowerDNS Users,
Two major vulnerabilities have recently been discovered in the PowerDNS
Recursor (all versions up to and including 3.1.7.1). Over the past two
weeks, these vulnerabilities have been addressed, resulting in PowerDNS
Recursor 3.1.7.2.
Given the nature and magnitude of these vulnerabilities, ALL PowerDNS
RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No
versions of the PowerDNS Authoritative Server are affected.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PowerDNS: Multiple vulnerabilities
Date: December 19, 2008
Bugs: #234032, #247079
ID: 200812-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PowerDNS Recursor: DNS Cache Poisoning
Date: April 18, 2008
Bugs: #215567
ID: 200804-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
======================================================================
1) Affected Software
* Quicksilver Forums 1.4.2
* PowerDNS Administrator 1.1.8
* QSF Portal 1.4.5
NOTE: Other versions may also be affected.
======================================================================
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PowerDNS Recursor: DNS Cache Poisoning
Date: April 18, 2008
Updated: August 21, 2008
Bugs: #215567, #231335
ID: 200804-22:03
Hello BugTraq
Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
======================================================================
1) Affected Software
* Quicksilver Forums 1.4.2
* PowerDNS Administrator 1.1.8
* QSF Portal 1.4.5
NOTE: Other versions may also be affected.
======================================================================
======================================================================
1) Affected Software
* Quicksilver Forums 1.4.2
* PowerDNS Administrator 1.1.8
* QSF Portal 1.4.5
NOTE: Other versions may also be affected.
======================================================================
Package : pdns
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-3337
Brian Dowling discovered that the PowerDNS authoritative name server
does not respond to DNS queries which contain certain characters,
increasing the risk of successful DNS spoofing (CVE-2008-3337). This
update changes PowerDNS to respond with SERVFAIL responses instead.
For the stable distribution (etch), this problem has been fixed in version
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-4010
It was discovered that pdns-recursor, the PowerDNS recursive name server,
contains a cache poisoning vulnerability which may allow attackers to trick the
server into serving incorrect DNS data (CVE-2009-4010).
This DSA provides a security update for the old stable distribution
(etch), similar to the previous update in DSA-1968-1. (Note that the
configuring BIND 9 to forward queries to a resolver which can, possibly
over a VPN such as OpenVPN to create the necessary trusted network link.
(Use BIND's forward-only mode in this case.)
Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
Unbound) already employ source port randomization, and no updated
packages are needed. BIND 9.5 up to and including version
1:9.5.0.dfsg-4 only implements a weak form of source port
randomization and needs to be updated as well. For information on
BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-4009 CVE-2009-4010
It was discovered that pdns-recursor, the PowerDNS recursive name
server, contains several vulnerabilities:
A buffer overflow can be exploited to crash the daemon, or potentially
execute arbitrary code (CVE-2009-4009).
Sounds like they just draw a random number each time, regardless of the
history (i.e. of previously drawn numbers), which can cause collisions
(I think that's the phenomenon you describe). BIND 9 has a mechanism
that ensures that collisions are discarded. OpenBSD retains history of
the last 32K (IIRC) numbers used, and does not re-use those numbers.
PowerDNS randomizes UDP source ports, so it considerably reduces
collision likelihood. I guess MS didn't implement any such mechanism (I
don't know for sure because I never reviewed their solution - I didn't
get a preview version from MS).
Thanks,
|
