Today we have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2.
These releases fix PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor.
PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
- CVE: CVE-2023-50387 and CVE-2023-50868
- Date: 13th of February 2024.
- Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and 5.0.1
- Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2
- Severity: High
- Impact: Denial of service
- Exploit: This problem can be triggered by an attacker publishing a crafted zone
- Risk of system compromise: None
- Solution: Upgrade to patched version or disable DNSSEC validation
CVSS Score: 7.5, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
The remedies are one of:
- upgrade to a patched version
- disable DNSSEC validation by setting
dnssec=off
orprocess-no-validate
; when using YAML settings:dnssec.validate: off
orprocess-no-validate
. Note that this will affect clients depending on DNSSEC validation.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing CVE-2023-50387 to the attention of the DNS community and especially Niklas Vogel for his assistance in validating the patches. We would also like to thank Petr Špaček from ISC for discovering and responsibly disclosing CVE-2023-50868.
If you would like to know more about the vulnerabilities and the coordination process, please read ISC's blog post "BIND 9 Security Release and Multi-Vendor Vulnerability Handling".
Please refer to the changelogs (4.8.6, 4.9.3 and 5.0.2) and upgrade guide for additional details. The upgrade guide describes one known issue related to the zoneToCache function.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The tarballs (4.8.6, 4.9.3, 5.0.2) (with signature files 4.8.6, 4.9.3, 5.0.2) are available from our download server and packages for several distributions are available from our repository.
We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.