PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing¶

• CVE: CVE-2017-15094

• Date: November 27th 2017

• Credit: Nixu

• Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6

• Not affected: PowerDNS Recursor 4.0.7

• Severity: Medium

• Impact: Denial of service

• Exploit: This problem can be triggered by an authoritative server sending crafted ECDSA DNSSEC keys to the Recursor.

• Risk of system compromise: No

• Solution: Upgrade to a non-affected version

• Workaround: Disable DNSSEC validation by setting the dnssec parameter to off or process-no-validate (default).

An issue has been found in the DNSSEC parsing code of PowerDNS Recursor during a code audit by Nixu, leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default). This issue has been assigned CVE-2017-15094.

PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.

For those unable to upgrade to a new version, a minimal patch is available

We would like to thank Nixu for finding and subsequently reporting this issue.