PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing

  • CVE: CVE-2017-15094
  • Date: November 27th 2017
  • Credit: Nixu
  • Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6
  • Not affected: PowerDNS Recursor 4.0.7
  • Severity: Medium
  • Impact: Denial of service
  • Exploit: This problem can be triggered by an authoritative server sending crafted ECDSA DNSSEC keys to the Recursor.
  • Risk of system compromise: No
  • Solution: Upgrade to a non-affected version
  • Workaround: Disable DNSSEC validation by setting the dnssec parameter to off or process-no-validate (default).

An issue has been found in the DNSSEC parsing code of PowerDNS Recursor during a code audit by Nixu, leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default). This issue has been assigned CVE-2017-15094.

PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.

For those unable to upgrade to a new version, a minimal patch is available

We would like to thank Nixu for finding and subsequently reporting this issue.