PowerDNS Security Advisory 2017-06: Configuration file injection in the API

  • CVE: CVE-2017-15093
  • Date: November 27th 2017
  • Credit: Nixu
  • Affects: PowerDNS Recursor up to and including 4.0.6, 3.7.4
  • Not affected: PowerDNS Recursor 4.0.7
  • Severity: Medium
  • Impact: Alteration of configuration by an API user
  • Exploit: This problem can be triggered by an attacker with valid API credentials
  • Risk of system compromise: No
  • Solution: Upgrade to a non-affected version
  • Workaround: Disable the ability to alter the configuration via the API by setting api-config-dir to an empty value (default), or set the API read-only via the api-readonly setting.

An issue has been found in the API of PowerDNS Recursor during a source code audit by Nixu. When api-config-dir is set to a non-empty value, which is not the case by default, the API allows an authorized user to update the Recursor’s ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor’s configuration. This issue has been assigned CVE-2017-15093.

PowerDNS Recursor up to and including 4.0.6 and 3.7.4 are affected.

For those unable to upgrade to a new version, a minimal patch is available

We would like to thank Nixu for finding and subsequently reporting this issue.