Allele Security Alert
ASA-2019-00478
Identifier(s)
ASA-2019-00478, CVE-2019-10203
Title
Denial of service via crafted zone records
Vendor(s)
PowerDNS
Product(s)
PowerDNS Authoritative Server
Affected version(s)
PowerDNS Authoritative Server up to and including 4.1.10 is affected when using the gpgsql (PostgreSQL) backend
Fixed version(s)
To fix the issue, run* the following command against your PostgreSQL pdns database:
`ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;`
No software changes are required.
Updated packages (that only contain a Postgres schema change) will be released later.
Proof of concept
Unknown
Description
An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it tries to store the notified serial in the PostgreSQL database, if this serial cannot be represented in 31 bits.
Technical details
Unknown
Credits
Klaus Darilion
Reference(s)
PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-06.html
PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records
https://www.openwall.com/lists/oss-security/2019/07/30/2
CVE-2019-10203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10203
CVE-2019-10203
https://nvd.nist.gov/vuln/detail/CVE-2019-10203
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 5, 2019