security advisory 2021-01 for PowerDNS Authoritative Server 4.5.0

Jul 26, 2021
Hello,

today we have released PowerDNS Authoritative Server 4.5.1, fixing a remotely triggered crash present in version 4.5.0. No other versions are affected.

Tarballs and signatures are available at https://downloads.powerdns.com/releases/, and a single patch is available at https://downloads.powerdns.com/patches/2021-01/. However, 4.5.1 contains no other changes.

Please find the full text of the advisory below.

PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server

  • CVE: CVE-2021-36754
  • Date: July 26th, 2021
  • Affects: PowerDNS Authoritative version 4.5.0
  • Not affected: 4.4.x and below, 4.5.1
  • Severity: High
  • Impact: Denial of service
  • Exploit: This problem can be triggered via a specific query packet
  • Risk of system compromise: None
  • Solution: Upgrade to 4.5.1, or filter queries in dnsdist

PowerDNS Authoritative Server 4.5.0 (and the alpha/beta/rc1/rc2 prereleases that came before it) will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.

Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).

When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

We would like to thank Reinier Schoof and Robin Geuze of TransIP for noticing crashes in production, immediately letting us know, and helping us figure out what was happening.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS

Related Articles

PowerDNS Recursor 5.1.0-alpha1 Released

We are proud to announce the first alpha release of PowerDNS Recursor 5.1.0!

Otto Moerbeek May 15, 2024

PowerDNS Recursor 4.8.9, 4.9.6 and 5.0.5 Released

Today we have released PowerDNS Recursor 4.8.9, 4.9.6 and 5.0.5. These releases are maintenance releases that fix a few...

Otto Moerbeek May 14, 2024

PowerDNS Recursor Security Advisory 2024-02

Today we have released PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4. These releases fix PowerDNS Security Advisory 2024-02: if...

Otto Moerbeek Apr 24, 2024

PowerDNS Authoritative Server 4.9.0

This is release 4.9.0 of the Authoritative Server. It brings a few new features, and a collection of small improvements and...

Peter van Dijk Mar 15, 2024