Security Advisory 2022-02 for PowerDNS Recursor up to and including 4.5.9, 4.6.2, 4.7.1

Aug 23, 2022

Hello,

Today we have released PowerDNS Recursor 4.5.10, 4.6.3 and 4.7.2 due to a medium severity issue found. The security advisory only applies to Recursors running with protobuf logging enabled.

Please find the full text of the advisory below.

The changelogs are available at 4.5.10, 4.6.3, 4.7.2.

The source tarballs (4.5.10, 4.6.3, 4.7.2) and signatures (4.5.10, 4.6.3, 4.7.2) are available from our download server. Patches are available at patches. Packages for various distributions are available from our repository.

Note that PowerDNS Recursor 4.4.x and older releases are End of Life. Consult the EOL policy for more details.


PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation

1
2
3
4
5
6
7
8
9
CVE: CVE-2022-37428
Date: 23th of August 2022.
Affects: PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1
Not affected: PowerDNS Recursor 4.5.10, 4.6.3 and 4.7.2
Severity: Medium
Impact: Denial of service
Exploit: This problem can be triggered by a remote attacker with access to the recursor if protobuf logging is enabled
Risk of system compromise: None
Solution: Upgrade to patched version, disable protobuf logging of responses

This issue only affects recursors which have protobuf logging enabled using the

  • protobufServer function with logResponses=true or
  • outgoingProtobufServer function with logResponses=true

If either of these functions is used without specifying logResponses, its value is true.
An attacker needs to have access to the recursor, i.e. the remote IP must be in the access control list.
If an attacker queries a name that leads to an answer with specific properties, a protobuf message might be generated that causes an exception. The code does not handle this exception correctly, causing a denial of service.

About the author

Otto Moerbeek

Otto Moerbeek

Senior Developer at PowerDNS

Categories

Related Articles

PowerDNS Recursor Security Advisory 2024-04

Today we have released PowerDNS Recursor 4.9.9, 5.0.9 and 5.1.2. These releases fix PowerDNS Security Advisory 2024-04:...

Otto Moerbeek Oct 3, 2024

PowerDNS Authoritative Server 4.9.2

This is release 4.9.2 of the Authoritative Server. It contains a collection of small fixes. A detailed list of changes can...

Peter van Dijk Oct 1, 2024

Cloud-native DNS filtering with Cloud Control 3.0

From very early on, PowerDNS recognized the benefits that a cloud-native DNS deployment provides to our customers. Just to...

Neil Cook Sep 3, 2024

PowerDNS Recursor 4.9.8, 5.0.8 and 5.1.1 Released

Today we have released PowerDNS Recursor 4.9.8, 5.0.8 and 5.1.1. These releases are maintenance releases that fix a few bugs...

Otto Moerbeek Jul 23, 2024