Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 593286 (CVE-2016-5426, CVE-2016-5427)

Summary: <net-dns/pdns-3.4.10: Crafted queries can cause unexpected backend load (CVE-2016-{5426,5427})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/09/09/3
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 588656    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-09-09 13:27:04 UTC
From ${URL} :

Hi All,

Two security issues of medium severity have been reported to us by
Florian Heinz and Martin Kluge in PowerDNS Authoritative Server <=
3.4.9. We released PowerDNS Authoritative 3.4.10 a week ago, fixing both
issues. PowerDNS Authoritative 4.0.x and PowerDNS Recursor are not affected.

The corresponding security advisory is provided below, and can also be
found at: https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/

Please feel free to contact me directly if you have any question.


PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected
backend load

CVE: CVE-2016-5426, CVE-2016-5427
Date: 9th of September 2016
Credit: Florian Heinz and Martin Kluge
Affects: PowerDNS Authoritative Server up to and including 3.4.9
Not affected: PowerDNS Authoritative Server 3.4.10, 4.x
Severity: Medium
Impact: Degraded service or Denial of service
Exploit: This problem can be triggered by sending specially crafted
query packets
Risk of system compromise: No
Solution: Upgrade to a non-affected version
Workaround: Run dnsdist with the rules provided below in front of
potentially affected servers, or dimension the backend capacity so that
it can handle the increased load.

Two issues have been found in PowerDNS Authoritative Server allowing a
remote, unauthenticated attacker to cause an abnormal load on the
PowerDNS backend by sending crafted DNS queries, which might result in a
partial denial of service if the backend becomes overloaded. SQL
backends for example are particularly vulnerable to this kind of
unexpected load if they have not been dimensioned for it.
The first issue is based on the fact that PowerDNS Authoritative Server
accepts queries with a qname's length larger than 255 bytes. This issue
has been assigned CVE-2016-5426.
The second issue is based on the fact that PowerDNS Authoritative Server
does not properly handle dot inside labels. This issue has been assigned
CVE-2016-5427.
Both issues have been addressed by this commit:
https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3

PowerDNS Authoritative Server up to and including 3.4.9 is affected. No
other versions are affected. The PowerDNS Recursor is not affected.

dnsdist can be used to block crafted queries, using
QNameWireLengthRule() to block queries with a qname larger than 255
bytes and QNameLabelsCountRule() to block queries with a very large
amount of labels. Please note that restricting the number of labels in a
query might lead to unexpected issues, especially with DNSSEC-enabled
domains.

We'd like to thank Florian Heinz and Martin Kluge for finding and
subsequently reporting this issue.



@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Sven Wegener gentoo-dev 2016-09-12 21:03:53 UTC
pdns-3.4.10 is ready for stabilization
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 20:43:35 UTC
@ Security: Please vote!
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-18 23:19:01 UTC
CVE-2016-5427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5427):
  PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly
  handle a . (dot) inside labels, which allows remote attackers to cause a
  denial of service (backend CPU consumption) via a crafted DNS query.

CVE-2016-5426 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5426):
  PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote
  attackers to cause a denial of service (backend CPU consumption) via a long
  qname.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-11-18 23:25:44 UTC
GLSA Vote: No