Tuesday, November 14, 2006

Denial of Service Vulnerability in PowerDNS

Via heise Security News.

PowerDNS, a DNS server used in settings such as the Wikipedia project, has been found to contain two bugs that attackers could use to provoke a denial of service attack, or even potentially plant malicious code. PowerDNS is a powerful DNS server that can address various backends and data sources like BIND or MySQL server for name resolution and which can temporarily store the results in memory for quicker delivery during repeated enquiries.

An invalid calculation of the length of DNS queries via TCP can lead PowerDNS to attempt to read up to 4 gigabytes of storage into a 64 kb buffer. Attackers can also potentially compromise a system. The DNS server can also be brought into an infinite loop through a CNAME loop, presuming no second CNAME entry exists.

The bug affects PowerDNS 3.1.3 and prior versions. The PowerDNS developers are now making the source code for version 3.1.4 available; affected administrators should install the update.

More here.

posted by Fergie @ 11/14/2006 10:58:00 AM

0 Comments:

Post a Comment

<< Home