From: Remi Gacogne Date: Mon, 13 May 2024 07:51:42 +0000 (+0200) Subject: dnsdist: Add security advisory 2024-03 for DNSdist X-Git-Tag: rec-5.1.0-alpha1~6^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2f000d607fa5f319f13af299532be07ab8c7d88;p=thirdparty%2Fpdns.git dnsdist: Add security advisory 2024-03 for DNSdist --- diff --git a/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2024-03.rst b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2024-03.rst new file mode 100644 index 0000000000..a477121392 --- /dev/null +++ b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2024-03.rst @@ -0,0 +1,27 @@ +PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist +================================================================================================================== + +- CVE: CVE-2024-25581 +- Date: May 13th 2024 +- Affects: PowerDNS DNSdist 1.9.0, 1.9.1, 1.9.2 and 1.9.3, earlier versions are not affected +- Not affected: PowerDNS DNSdist 1.9.4 +- Severity: High (only in specific configurations, see below) +- Impact: Denial of service +- Exploit: This problem can be triggered by a remote, unauthenticated attacker sending a DNS query +- Risk of system compromise: None +- Solution: Upgrade to patched version or apply the workaround described below + +When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or +DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer +(AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. +DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default. + +`CVSS Score: 7.5 `__, only for configurations where incoming DoH is enabled and a TCP-only/DoT backend is enabled. + +Two workarounds are available: +- refuse incoming XFR requests via a DNSdist rule: ``addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))`` +- switch to the legacy h2o provider by setting ``library='h2o'`` in the ``addDOHLocal`` directive + +For those unable to upgrade to a new version, a minimal patch is `available for 1.9.3 `__ + +We would like to thank Daniel Stirnimann from Switch for finding and subsequently reporting this issue.