PowerDNS Blog

PowerDNS Recursor Security Advisory 2024-02

Written by Otto Moerbeek | Apr 24, 2024 10:40:38 AM

Today we have released PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4.

These releases fix PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor.

PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor

  • CVE: CVE-2024-25583
  • Date: 24th of April 2024.
  • Affects: PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3, earlier versions are not affected
  • Not affected: PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4
  • Severity: High (only when using recursive forwarding)
  • Impact: Denial of service
  • Exploit: This problem can be triggered by an attacker publishing a crafted zone
  • Risk of system compromise: None
  • Solution: Upgrade to patched version

A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected.

CVSS Score: 7.5, only for configurations using recursive forwarding, see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1

The remedy is to update to a patched version.

Please refer to the changelogs  (4.8.8, 4.9.5 and 5.0.4) and upgrade guide for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (4.8.8, 4.9.5, 5.0.4) (with signature files 4.8.8, 4.9.5, 5.0.4) are available from our download server and packages for several distributions are available from our repository.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.