Previous topic

PowerDNS Security Advisory 2019-03: Insufficient validation in the HTTP remote backend

Next topic

PowerDNS Security Advisory 2019-05: Denial of service via NOTIFY packets

This Page

PowerDNS Security Advisory 2019-04: Denial of service via crafted zone records

  • CVE: CVE-2019-10162
  • Date: June 21st 2019
  • Affects: PowerDNS Authoritative up to and including 4.1.9
  • Not affected: 4.1.10, 4.0.8
  • Severity: Medium
  • Impact: Denial of Service
  • Exploit: This problem can be triggered via crafted records
  • Risk of system compromise: No
  • Solution: Upgrade to a non-affected version
  • Workaround: run the process inside the guardian or inside a supervisor

An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify.

This issue has been assigned CVE-2019-10162.

PowerDNS Authoritative up to and including 4.1.9 is affected. Please note that at the time of writing, PowerDNS Authoritative 3.4 and below are no longer supported, as described in https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank Gert van Dijk for finding and subsequently reporting this issue!