ASA-2019-00017 – PowerDNS: Insufficient validation of DNSSEC signatures

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00017

Identifier(s)

ASA-2019-00017, CVE-2019-3807

Title

Insufficient validation of DNSSEC signatures

Vendor(s)

PowerDNS

Product(s)

PowerDNS Recursor

Affected version(s)

PowerDNS Recursor from 4.1.0 up to and including 4.1.8

Fixed version(s)

PowerDNS Recursor 4.1.9

Proof of concept

Unknown

Description

An issue has been found in PowerDNS Recursor where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.

Technical details

Unknown

Credits

Ralph Dolmans and George Thessalonikefs (NLNetLabs)

Reference(s)

PowerDNS Recursor 4.1.9 Released
https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/

PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html

PowerDNS Security Advisories 2011-01 and 2019-02
https://seclists.org/oss-sec/2019/q1/77

CVE-2019-3807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3807

CVE-2019-3807
https://nvd.nist.gov/vuln/detail/CVE-2019-3807

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.