Vulnerabilities > CVE-2006-4251 - Remote Denial of Service and Buffer Overflow vulnerability in PowerDNS

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
powerdns
nessus

Summary

Buffer overflow in PowerDNS Recursor 3.1.3 and earlier might allow remote attackers to execute arbitrary code via a malformed TCP DNS query that prevents Recursor from properly calculating the TCP DNS query length. This vulnerability is addressed in the following product release: PowerDNS, Recursor, 3.1.4

Nessus

  • NASL familyDNS
    NASL idPOWERDNS_RECURSOR_3_1_4.NASL
    descriptionAccording to its self-reported version number, the version of the PowerDNS Recursor listening on the remote host is version 3.x prior to 3.1.4. It is, therefore, affected by multiple vulnerabilities : - A buffer overflow condition exists that allows a remote attacker, via a specially crafted TCP DNS query, to prevent the Recursor from properly calculating the TCP DNS query length, resulting in a denial of service condition. (CVE-2006-4251) - A denial of service vulnerability exists that allows a remote attacker, via a CNAME record with a zero TTL, to cause a resource exhaustion, resulting in an application crash. (CVE-2006-4252) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id87949
    published2016-01-15
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87949
    titlePowerDNS Recursor 3.x < 3.1.4 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(87949);
     script_version("1.3");
     script_cvs_date("Date: 2018/07/25 18:58:03");
    
     script_cve_id("CVE-2006-4251", "CVE-2006-4252");
     script_bugtraq_id(21037);
    
     script_name(english:"PowerDNS Recursor 3.x < 3.1.4 Multiple Vulnerabilities");
     script_summary(english:"Checks the PowerDNS Recursor version.");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote name server is affected by multiple vulnerabilities.");
     script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the version of the
    PowerDNS Recursor listening on the remote host is version 3.x prior to
    3.1.4. It is, therefore, affected by multiple vulnerabilities :
    
      - A buffer overflow condition exists that allows a remote
      	attacker, via a specially crafted TCP DNS query, to
      	prevent the Recursor from properly calculating the TCP
      	DNS query length, resulting in a denial of service
      	condition. (CVE-2006-4251)
    
      - A denial of service vulnerability exists that allows a
      	remote attacker, via a CNAME record with a zero TTL, to
      	cause a resource exhaustion, resulting in an application
      	crash. (CVE-2006-4252)
    
    Note that Nessus has not attempted to exploit these issues but has
    instead relied only on the application's self-reported version number.
    Also, Nessus has not checked for the presence of the patches or a
    workaround.");
     script_set_attribute(attribute:"see_also", value:"https://doc.powerdns.com/md/security/powerdns-advisory-2006-01/");
     script_set_attribute(attribute:"see_also", value:"https://doc.powerdns.com/md/security/powerdns-advisory-2006-02/");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to PowerDNS Recursor 3.1.4 or later. Alternatively, apply the
    patch referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date",value:"2006/11/13");
     script_set_attribute(attribute:"patch_publication_date",value:"2006/11/13");
     script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/15");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:powerdns");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:recursor");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
    
     script_family(english:"DNS");
     script_dependencies("pdns_version.nasl");
     script_require_keys("pdns/version", "pdns/version_full", "pdns/version_source", "pdns/type", "Settings/ParanoidReport");
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    app_name = "PowerDNS Recursor";
    version_source = get_kb_item_or_exit("pdns/version_source");
    version_full = get_kb_item_or_exit("pdns/version_full");
    version = get_kb_item_or_exit("pdns/version");
    
    fix = '3.1.4';
    port = 53;
    
    # Only the Recursor is affected
    type = get_kb_item_or_exit("pdns/type");
    if (type != 'recursor') audit(AUDIT_NOT_LISTEN, app_name, port, "UDP");
    
    if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_APP_VER, app_name);
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    if (version !~ "^3\." || (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0))
      audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version_full, "UDP");
    
    if (report_verbosity > 0)
    {
      report =
        '\n  Version source    : ' + version_source +
        '\n  Installed version : ' + version_full +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_hole(port:port, proto:"udp", extra:report);
    }
    else security_hole(port:port, proto:"udp");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1211.NASL
    descriptionIt was discovered that malformed TCP packets may lead to denial of service and possibly the execution of arbitrary code if the PowerDNS nameserver acts as a recursive nameserver.
    last seen2020-06-01
    modified2020-06-02
    plugin id23660
    published2006-11-20
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23660
    titleDebian DSA-1211-1 : pdns - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1211. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23660);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-4251");
      script_xref(name:"DSA", value:"1211");
    
      script_name(english:"Debian DSA-1211-1 : pdns - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that malformed TCP packets may lead to denial of
    service and possibly the execution of arbitrary code if the PowerDNS
    nameserver acts as a recursive nameserver."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1211"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the PowerDNS packages.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 2.9.17-13sarge3.
    
    For the upcoming stable distribution (etch) this problem has been
    fixed in version 3.1.4-1 of pdns-recursor."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pdns");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/20");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"pdns", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-geo", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-ldap", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-mysql", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-pgsql", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-pipe", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-sqlite", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-doc", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-recursor", reference:"2.9.17-13sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-server", reference:"2.9.17-13sarge3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_070.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:070 (pdns). Two security problems that have been found in PowerDNS are fixed by this update: CVE-2006-4251: The PowerDNS Recursor can be made to crash by sending malformed questions to it over TCP potentially executing code. CVE-2006-4252: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space and crash.
    last seen2019-10-28
    modified2007-02-18
    plugin id24447
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24447
    titleSUSE-SA:2006:070: pdns
  • NASL familySuSE Local Security Checks
    NASL idSUSE_PDNS-2275.NASL
    descriptionTwo security problems that have been found in PowerDNS are fixed by this update : CVE-2006-4251: The PowerDNS Recursor can be made to crash by sending malformed questions to it over TCP potentially executing code. CVE-2006-4252: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash.
    last seen2020-06-01
    modified2020-06-02
    plugin id27386
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27386
    titleopenSUSE 10 Security Update : pdns (pdns-2275)