Several Security Flaws Have Been Patched In PowerDNS (used by millions)

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn3

PowerDNS is an advanced, high-performance authoritative nameserver compatible with a number of backends. The Open source DNS software company has released security updates and patches for its Authoritative Server and Recursor products to fix five security vulnerabilities.

The vulnerabilities tracked sequentially from CVE-2017-15090 to CVE-2017-15094, can’t compromise the system, but it can be used to modify the content of records, cause Denial of Service (DoS), modifying the content of web interfaces, change configurations, and also cause a memory leak.

CVE-2017-15091:
It’s the only one that affects the PowerDNS Authoritative server, which can be exploited only by attackers who obtained a valid API credential.

CVE-2017-15090:
PowerDNS Recursor versions 4.0.0 through 4.0.6 are vulnerable to a DNSSEC validation issue, this flaw can only be exploited by a man-in-the-middle (MitM) attacker to issue a valid signature and alter DNS records.

CVE-2017-15093:
The Recursor is also affected by a vulnerability that enables an authenticated attacker to inject new directives into its configuration.

CVE-2017-15094:
It’s a DoS vulnerability caused by a memory leak that can happen when parsing especially crafted DNSSEC ECDSA keys.

CVE-2017-15092:
This is an XSS vulnerability that enables a remote attacker to inject arbitrary HTML and JavaScript code into the Recursor web interface.

Users are recommended to patch their products ASAP.

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn3
The following two tabs change content below.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Latest posts by Eslam Medhat (see all)

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply