Arch Linux Security Advisory ASA-202204-11

Severity: Low
Date : 2022-04-15
CVE-ID : CVE-2022-27227
Package : powerdns
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2655

Summary

The package powerdns before version 4.6.1-1 is vulnerable to denial of
service.

Resolution

Upgrade to 4.6.1-1.

pacman -Syu “powerdns>=4.6.1-1”

The problem has been fixed upstream in version 4.6.1.

Workaround

None.

Description

A denial of service issue has been found in PowerDNS Authoritative
Server and PowerDNS Recursor before 4.6.1.
IXFR usually exchanges only the modifications between two versions of a
zone, but sometimes needs to fall back to a full transfer of the
current version. When IXFR falls back to a full zone transfer, an
attacker in position of man-in-the-middle can cause the transfer to be
prematurely interrupted. This interrupted transfer is mistakenly
interpreted as a complete transfer, causing an incomplete zone to be
processed. For the Authoritative Server, IXFR transfers are not enabled
by default. The Recursor only uses IXFR for retrieving RPZ zones. An
incomplete RPZ transfer results in missing policy entries, potentially
causing some DNS names and IP addresses to not be properly intercepted.

Impact

When IXFR transfers are enabled for a zone, an attacker-in-the-middle
might be able to interrupt a transfer in a way that an incomplete DNS
zone is processed, leading to missing records.

References

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html
https://security.archlinux.org/CVE-2022-27227