Security Update: PowerDNS Recursor 3.6.1
We regret that we have to announce a PowerDNS Recursor security release:
Issue: A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely CVE: CVE-2014-3614 Affected: All deployments of PowerDNS Recursor 3.6.0 Not Affected: PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 Workaround: 1) Only users from netmasks specified in 'allow-from' can cause the crash 2) add automated restarting Remediation: Upgrade to 3.6.1, or apply our minimal patch and recompile Distributions shipping 3.6.0 have been notified and will be providing updates very soon
Recently, we’ve discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin.
Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow.
PowerDNS Recursor 3.6.1 packages and sources are available from https://www.powerdns.com/downloads.html
In addition, if you want to apply a minimal fix, it can be found on: https://xs.powerdns.com/tmp/minipatch-3.6.1
Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified and will be providing updated packages soon.
As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf
can be used to enable Upstart and Systemd to restart the PowerDNS Recursor in case of a crash.
3.6.1 release notes:
In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature:
- We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.18.104.22.168). Fixed in commit c90fcbd , closing ticket 1663.
- Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens.
- Realtime telemetry can now be enabled at runtime, for example with ‘rec_control carbon-server 22.214.171.124 ourname1234’. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server.
We want to thank the dedicated PowerDNS users that spent months investigating the rare crashes they observed. Without such an engaged community, we would never be able to chase down issues like these.
If you need any help with upgrading, please contact us either on the mailing lists or via our website or phone.