docs/security-advisories/powerdns-advisory-2015-01.rst

   1 PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
   2 -------------------------------------------------------------------------------------------
   3
   4 -  CVE: CVE-2015-1868 (original), CVE-2015-5470 (update)
   5 -  Date: 23rd of April 2015, updated 7th of July 2015
   6 -  Credit: Aki Tuomi, Toshifumi Sakaguchi
   7 -  Affects: PowerDNS Recursor versions 3.5 and up; Authoritative Server
   8    3.2 and up
   9 -  Not affected: Recursor 3.6.4; Recursor 3.7.3; Auth 3.3.3; Auth 3.4.5
  10 -  Severity: High
  11 -  Impact: Degraded service
  12 -  Exploit: This problem can be triggered by sending queries for
  13    specifically configured domains, or by sending specially crafted
  14    query packets
  15 -  Risk of system compromise: No
  16 -  Solution: Upgrade to any of the non-affected versions
  17 -  Workaround: Run your Recursor under a supervisor. Exposure can be
  18    limited by configuring the
  19    ```allow-from`` <../recursor/settings.md#allow-from>`__ setting so
  20    only trusted users can query your nameserver. There is no workaround
  21    for the Authoritative server.
  22
  23 A bug was discovered in our label decompression code, making it possible
  24 for names to refer to themselves, thus causing a loop during
  25 decompression. On some platforms, this bug can be abused to cause
  26 crashes. On all platforms, this bug can be abused to cause
  27 service-affecting CPU spikes.
  28
  29 We recommend that all users upgrade to a corrected version if at all
  30 possible. Alternatively, if you want to apply a minimal fix to your own
  31 tree, please `find patches
  32 here <https://downloads.powerdns.com/patches/2015-01/>`__.
  33
  34 As for workarounds, for the Recursor: only clients in allow-from are
  35 able to trigger the degraded service, so this should be limited to your
  36 userbase; further, we recommend running your critical services under
  37 supervision such as systemd, supervisord, daemontools, etc.
  38
  39 There is no workaround for the Authoritative Server.
  40
  41 We want to thank Aki Tuomi for noticing this in production, and then
  42 digging until he got to the absolute bottom of what at the time appeared
  43 to be a random and spurious failure.
  44
  45 We want to thank Toshifumi Sakaguchi for further investigation into the
  46 issue after the initial announcement, and for demonstrating to us quite
  47 clearly the CPU spike issues.
  48
  49 Update 7th of July 2015: Toshifumi Sakaguchi discovered that the
  50 original fix was insufficient in some cases. Updated versions of the
  51 Authoritative Server and Recursor `were
  52 released <../changelog.md#powerdns-recursor-364>`__ on the 9th of June.
  53 Minimal patches are
  54 `available <http://downloads.powerdns.com/patches/2015-01/>`__. The
  55 insufficient fix was assigned CVE-2015-5470.