Allele Security Alert
Crafted zone record and crafted answer can cause a denial of service
PowerDNS Authoritative from 3.3.0 up to and including 4.1.4
PowerDNS Recursor from 3.2 up to and including 4.1.4
PowerDNS Authoritative 4.1.5, 4.0.6
PowerDNS Recursor 4.1.5, 4.0.9
Proof of concept
An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause a memory leak by inserting a specially crafted record in a zone under their control, then sending a DNS query for that record.
An issue has been found in PowerDNS Recursor allowing a malicious authoritative server to cause a memory leak by sending specially crafted records.
The issue is due to the fact that some memory is allocated before the parsing and is not always properly released if the record is malformed.
When the PowerDNS Authoritative Server or PowerDNS Recursor is run inside the guardian (–guardian), or inside a supervisor like supervisord or systemd, an out-of-memory crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
PowerDNS Security Advisories 2018-03, 2018-04, 2018-05, 2018-06 and 2018-07
PowerDNS Security Advisory 2018-03: Crafted zone record can cause a denial of service
PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 8, 2018