Allele Security Alert
ASA-2018-00037
Identifier(s)
ASA-2018-00037, CVE-2018-14644
Title
Crafted query for meta-types can cause a denial of service
Vendor(s)
PowerDNS
Product(s)
PowerDNS Recursor
Affected version(s)
PowerDNS Recursor from 4.0.0 up to and including 4.1.4
Fixed version(s)
PowerDNS Recursor 4.0.9, 4.1.5
Proof of concept
Unknown
Description
An issue has been found in PowerDNS Recursor where a remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail.
Reference(s)
PowerDNS Security Advisories 2018-03, 2018-04, 2018-05, 2018-06 and 2018-07
https://seclists.org/oss-sec/2018/q4/137
PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html
CVE-2018-14644-rec-4.0.8.patch
https://downloads.powerdns.com/patches/2018-07/CVE-2018-14644-rec-4.0.8.patch
CVE-2018-14644-rec-4.1.4.patch
https://downloads.powerdns.com/patches/2018-07/CVE-2018-14644-rec-4.1.4.patch
CVE-2018-14644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14644
CVE-2018-14644
https://nvd.nist.gov/vuln/detail/CVE-2018-14644
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 8, 2018