PowerDNS is an advanced, high-performance authoritative nameserver compatible with a number of backends. The Open source DNS software company has released security updates and patches for its Authoritative Server and Recursor products to fix five security vulnerabilities.
The vulnerabilities tracked sequentially from CVE-2017-15090 to CVE-2017-15094, can’t compromise the system, but it can be used to modify the content of records, cause Denial of Service (DoS), modifying the content of web interfaces, change configurations, and also cause a memory leak.
CVE-2017-15091:
It’s the only one that affects the PowerDNS Authoritative server, which can be exploited only by attackers who obtained a valid API credential.
CVE-2017-15090:
PowerDNS Recursor versions 4.0.0 through 4.0.6 are vulnerable to a DNSSEC validation issue, this flaw can only be exploited by a man-in-the-middle (MitM) attacker to issue a valid signature and alter DNS records.
CVE-2017-15093:
The Recursor is also affected by a vulnerability that enables an authenticated attacker to inject new directives into its configuration.
CVE-2017-15094:
It’s a DoS vulnerability caused by a memory leak that can happen when parsing especially crafted DNSSEC ECDSA keys.
CVE-2017-15092:
This is an XSS vulnerability that enables a remote attacker to inject arbitrary HTML and JavaScript code into the Recursor web interface.
Users are recommended to patch their products ASAP.
