Bug 998159 (CVE-2016-5426) - VUL-0: CVE-2016-5426, CVE-2016-5427: pdns, pdns-recursor: Crafted queries can cause unexpected backend load
Summary: VUL-0: CVE-2016-5426, CVE-2016-5427: pdns, pdns-recursor: Crafted queries can...
Status: RESOLVED FIXED
Alias: CVE-2016-5426
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-09 12:45 UTC by Adam Majer
Modified: 2016-12-22 11:32 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Majer 2016-09-09 12:45:03 UTC 
from: https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/

----

PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected backend load

    CVE: CVE-2016-5426, CVE-2016-5427
    Date: 9th of September 2016
    Credit: Florian Heinz and Martin Kluge
    Affects: PowerDNS Authoritative Server up to and including 3.4.9
    Not affected: PowerDNS Authoritative Server 3.4.10, 4.x
    Severity: Medium
    Impact: Degraded service or Denial of service
    Exploit: This problem can be triggered by sending specially crafted query packets
    Risk of system compromise: No
    Solution: Upgrade to a non-affected version
    Workaround: Run dnsdist with the rules provided below in front of potentially affected servers, or dimension the backend capacity so that it can handle the increased load.

Two issues have been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause an abnormal load on the PowerDNS backend by sending crafted DNS queries, which might result in a partial denial of service if the backend becomes overloaded. SQL backends for example are particularly vulnerable to this kind of unexpected load if they have not been dimensioned for it. The first issue is based on the fact that PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes. This issue has been assigned CVE-2016-5426. The second issue is based on the fact that PowerDNS Authoritative Server does not properly handle dot inside labels. This issue has been assigned CVE-2016-5427. Both issues have been addressed by this commit.

https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3

PowerDNS Authoritative Server up to and including 3.4.9 is affected. No other versions are affected. The PowerDNS Recursor is not affected.

dnsdist can be used to block crafted queries, using QNameWireLengthRule() to block queries with a qname larger than 255 bytes and QNameLabelsCountRule() to block queries with a very large amount of labels. Please note that restricting the number of labels in a query might lead to unexpected issues, especially with DNSSEC-enabled domains.

We'd like to thank Florian Heinz and Martin Kluge for finding and subsequently reporting this issue.

----

Looks like it affects all versions of PowerDNS Authoritative server, including factory.
Comment 2 Bernhard Wiedemann 2016-09-09 14:00:53 UTC 
This is an autogenerated message for OBS integration:
This bug (998159) was mentioned in
https://build.opensuse.org/request/show/426156 13.2+42.1 / pdns
Comment 4 Swamp Workflow Management 2016-09-23 13:11:49 UTC 
openSUSE-SU-2016:2354-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 998159
CVE References: CVE-2016-5426,CVE-2016-5427
Sources used:
openSUSE Leap 42.1 (src):    pdns-3.4.6-6.2
openSUSE 13.2 (src):    pdns-3.3.1-2.9.1
Comment 7 Marcus Meissner 2016-12-22 11:32:59 UTC 
released