An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation.
Weakness
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Recursor | Powerdns | 4.1.0 (including) | 4.3.0 (including) |
| Pdns-recursor | Ubuntu | bionic | * |
| Pdns-recursor | Ubuntu | eoan | * |
| Pdns-recursor | Ubuntu | focal | * |
| Pdns-recursor | Ubuntu | trusty | * |
| Pdns-recursor | Ubuntu | xenial | * |
Related Attack Patterns
References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00052.html
- http://www.openwall.com/lists/oss-security/2020/05/19/3
- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMP72NJGKBWR5WEBXAWX5KSLQUDFTG6S/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PS4ZN5XGENYNFKX7QIIOUCQQHXE37GJF/
- https://www.debian.org/security/2020/dsa-4691
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00052.html
- http://www.openwall.com/lists/oss-security/2020/05/19/3
- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMP72NJGKBWR5WEBXAWX5KSLQUDFTG6S/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PS4ZN5XGENYNFKX7QIIOUCQQHXE37GJF/
- https://www.debian.org/security/2020/dsa-4691