PowerDNS Security Advisory 2015-02

Sep 2, 2015

A bug was recently found in our DNS packet parsing/generation code, which, when exploited, can cause individual threads (disabling service) or whole processes (allowing a supervisor to restart them) to crash with just one or a few query packets.

  • CVE: CVE-2015-5230
  • Date: 2nd of September 2015
  • Credit: Pyry Hakulinen and Ashish Shakla at Automattic
  • Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5
  • Not affected: PowerDNS Authoritative Server 3.4.6
  • Severity: High
  • Impact: Degraded service or Denial of service
  • Exploit: This problem can be triggered by sending specially crafted query packets
  • Risk of system compromise: No
  • Solution: Upgrade to a non-affected version
  • Workaround: Run the Authoritative Server inside a supervisor when `distributor-threads` is set to `1` to prevent Denial of Service. No workaround for the degraded service exists

PowerDNS Authoritative Server 3.4.0-3.4.5 are affected. No other versions are affected. The PowerDNS Recursor is not affected.

PowerDNS Authoritative Server 3.4.6 contains a fix to this issue. A minimal patch is available.

This issue is entirely unrelated to Security Advisory 2015-01/CVE-2015-1868.

We’d like to thank Pyry Hakulinen and Ashish Shakla at Automattic for finding and subsequently reporting this bug.

About the author

Pieter Lexis

Pieter Lexis

Senior Developer at PowerDNS

Related Articles

PowerDNS Security Advisory 2015-03

CVE: CVE-2015-5311 Date: November 9th 2015 Credit: Christian Hofstaedtler of Deduktiva GmbH Affects: PowerDNS Authoritative...

Pieter Lexis 11/2/15

PowerDNS Security Advisory 2014-02

PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service Hi everybody,...

Bert Hubert 12/2/14

PowerDNS Authoritative Server Security Notification 2012-01

CVE CVE-2012-0206 Date 10th of January 2012 Credit Ray Morris of BetterCGI.com. Affects Most PowerDNS Authoritative Server...

Bert Hubert 01/3/12

PowerDNS Security Status Polling

PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all...

Bert Hubert 10/4/14