ASA-2019-00016 – PowerDNS: Lua hooks are not applied in certain configurations


Allele Security Alert

ASA-2019-00016

Identifier(s)

ASA-2019-00016, CVE-2019-3806

Title

Lua hooks are not applied in certain configurations

Vendor(s)

PowerDNS

Product(s)

PowerDNS Recursor

Affected version(s)

PowerDNS Recursor from 4.1.4 up to and including 4.1.8

Fixed version(s)

PowerDNS Recursor 4.1.9

Proof of concept

Unknown

Description

An issue has been found in PowerDNS Recursor where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua.

When the recursor is configured to run with more than one thread (threads=X) and to do the distribution of incoming queries to the worker threads itself (pdns-distributes-queries=yes), the Lua script is not properly loaded in the thread handling incoming TCP queries, causing the Lua hooks to not be properly applied.

Technical details

Unknown

Credits

Unknown

Reference(s)

PowerDNS Recursor 4.1.9 Released
https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/

PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html

PowerDNS Security Advisories 2011-01 and 2019-02
https://seclists.org/oss-sec/2019/q1/77

CVE-2019-3806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3806

CVE-2019-3806
https://nvd.nist.gov/vuln/detail/CVE-2019-3806

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.