Security Update: PowerDNS Recursor 3.6.1

Sep 10, 2014

Hi everybody,

We regret that we have to announce a PowerDNS Recursor security release:

Issue:    A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely
CVE:      CVE-2014-3614
Affected: All deployments of PowerDNS Recursor 3.6.0 
Not Affected: 
          PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 
Workaround: 
          1) Only users from netmasks specified in 'allow-from' can cause the crash 
          2) add automated restarting
Remediation: 
          Upgrade to 3.6.1, or apply our minimal patch and recompile
          Distributions shipping 3.6.0 have been notified and will be providing updates very soon

Recently, we’ve discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin.

Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow.

PowerDNS Recursor 3.6.1 packages and sources are available from https://www.powerdns.com/downloads.html

In addition, if you want to apply a minimal fix, it can be found on: https://xs.powerdns.com/tmp/minipatch-3.6.1

Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified and will be providing updated packages soon.

As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf
and https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service
can be used to enable Upstart and Systemd to restart the PowerDNS Recursor in case of a crash.

3.6.1 release notes:

In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature:

  • We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in commit c90fcbd , closing ticket 1663.
  • Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens.
  • Realtime telemetry can now be enabled at runtime, for example with ‘rec_control carbon-server 82.94.213.34 ourname1234’. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server.
 

We want to thank the dedicated PowerDNS users that spent months investigating the rare crashes they observed. Without such an engaged community, we would never be able to chase down issues like these.

If you need any help with upgrading, please contact us either on the mailing lists or via our website.

About the author

Bert Hubert

Bert Hubert

Principal, PowerDNS

Categories

Related Articles

PowerDNS Recursor Security Advisory 2024-01

Today we have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2. These releases fix PowerDNS Security Advisory 2024-01:...

Otto Moerbeek Feb 13, 2024

PowerDNS Recursor 5.0.1 Released

We are proud to announce the release of PowerDNS Recursor 5.0.1! This is the first public release of the 5.0 branch....

Otto Moerbeek Jan 10, 2024

PowerDNS Recursor 5.0.0-rc2 Released

We are proud to announce the second release candidate of PowerDNS Recursor 5.0.0. Compared to the latest 4.9 release, this...

Otto Moerbeek Dec 20, 2023

PowerDNS Recursor 5.0.0-rc1 Released

We are proud to announce the first release candidate of PowerDNS Recursor 5.0.0. Compared to the latest 4.9 release, this...

Otto Moerbeek Dec 6, 2023