Allele Security Alert
ASA-2019-00016
Identifier(s)
ASA-2019-00016, CVE-2019-3806
Title
Lua hooks are not applied in certain configurations
Vendor(s)
PowerDNS
Product(s)
PowerDNS Recursor
Affected version(s)
PowerDNS Recursor from 4.1.4 up to and including 4.1.8
Fixed version(s)
PowerDNS Recursor 4.1.9
Proof of concept
Unknown
Description
An issue has been found in PowerDNS Recursor where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua.
When the recursor is configured to run with more than one thread (threads=X) and to do the distribution of incoming queries to the worker threads itself (pdns-distributes-queries=yes), the Lua script is not properly loaded in the thread handling incoming TCP queries, causing the Lua hooks to not be properly applied.
Technical details
Unknown
Credits
Unknown
Reference(s)
PowerDNS Recursor 4.1.9 Released
https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/
PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html
PowerDNS Security Advisories 2011-01 and 2019-02
https://seclists.org/oss-sec/2019/q1/77
CVE-2019-3806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3806
CVE-2019-3806
https://nvd.nist.gov/vuln/detail/CVE-2019-3806
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019