Bug 2182849 (CVE-2023-26437) - CVE-2023-26437 pdns-recursor: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
Summary: CVE-2023-26437 pdns-recursor: Deterred spoofing attempts can lead to authorit...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2023-26437
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2182850 2182851
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-29 19:23 UTC by Pedro Sampaio
Modified: 2023-03-29 23:16 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-29 23:16:49 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-03-29 19:23:30 UTC
From $URL:

PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
CVE: CVE-2023-26437
Date: 29th of March 2023
Affects: PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3
Not affected: PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4
Severity: Low
Impact: Denial of service
Exploit: Successful spoofing may lead to authoritative servers being marked unavailable
Risk of system compromise: None
Solution: Upgrade to patched version
When the recursor detects and deters a spoofing attempt or receives certain malformed DNS packets,
it throttles the server that was the target of the impersonation attempt so that other authoritative
servers for the same zone will be more likely to be used in the future, in case the attacker
controls the path to one server only. Unfortunately this mechanism can be used by an attacker with
the ability to send queries to the recursor, guess the correct source port of the corresponding
outgoing query and inject packets with a spoofed IP address to force the recursor to mark specific
authoritative servers as not available, leading a denial of service for the zones served by those
servers.

CVSS 3.0 score: 3.7 (Low)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L

Thanks to Xiang Li from Network and Information Security Laboratory, Tsinghua University for reporting this issue.

Comment 1 Pedro Sampaio 2023-03-29 19:23:54 UTC
Created pdns-recursor tracking bugs for this issue:

Affects: epel-all [bug 2182851]
Affects: fedora-all [bug 2182850]

Comment 2 Product Security DevOps Team 2023-03-29 23:16:47 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.