PowerDNS Recursor Security Advisory 2024-01

Feb 13, 2024

Today we have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2.

These releases fix PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor.

PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor

  • CVE: CVE-2023-50387 and CVE-2023-50868
  • Date: 13th of February 2024.
  • Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and 5.0.1
  • Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2
  • Severity: High
  • Impact: Denial of service
  • Exploit: This problem can be triggered by an attacker publishing a crafted zone
  • Risk of system compromise: None
  • Solution: Upgrade to patched version or disable DNSSEC validation
An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service. Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation.

CVSS Score: 7.5, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1

The remedies are one of:

  • upgrade to a patched version
  • disable DNSSEC validation by setting dnssec=off or process-no-validate; when using YAML settings: dnssec.validate: off or process-no-validate. Note that this will affect clients depending on DNSSEC validation.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing CVE-2023-50387 to the attention of the DNS community and especially Niklas Vogel for his assistance in validating the patches. We would also like to thank Petr Špaček from ISC for discovering and responsibly disclosing CVE-2023-50868.

If you would like to know more about the vulnerabilities and the coordination process, please read ISC's blog post "BIND 9 Security Release and Multi-Vendor Vulnerability Handling".

Please refer to the changelogs  (4.8.6, 4.9.3 and 5.0.2) and upgrade guide for additional details. The upgrade guide describes one known issue related to the zoneToCache function.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (4.8.6, 4.9.3, 5.0.2) (with signature files 4.8.6, 4.9.3, 5.0.2) are available from our download server and packages for several distributions are available from our repository.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.


About the author

Otto Moerbeek

Otto Moerbeek

Senior Developer at PowerDNS


Related Articles

PowerDNS Authoritative Server 4.9.0

This is release 4.9.0 of the Authoritative Server. It brings a few new features, and a collection of small improvements and...

Peter van Dijk Mar 15, 2024

PowerDNS Recursor: Extended DNS Errors Help You Troubleshooting

This is the seventh episode of a series of blog posts we are publishing, mostly around recent developments with respect to...

Otto Moerbeek Mar 12, 2024

PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3 Released

Today we have released PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3. These releases are maintenance releases that fix a few...

Otto Moerbeek Mar 7, 2024

PowerDNS Authoritative Server 4.9.0-beta2

This is release 4.9.0-beta2 (beta1 was not released, due to a tagging mistake) of the Authoritative Server. It brings a few...

Peter van Dijk Feb 16, 2024