Vulnerabilities > CVE-2006-4251 - Unspecified vulnerability in Powerdns Recursor
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN powerdns
nessus
Summary
Buffer overflow in PowerDNS Recursor 3.1.3 and earlier might allow remote attackers to execute arbitrary code via a malformed TCP DNS query that prevents Recursor from properly calculating the TCP DNS query length.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 12 |
Nessus
NASL family DNS NASL id POWERDNS_RECURSOR_3_1_4.NASL description According to its self-reported version number, the version of the PowerDNS Recursor listening on the remote host is version 3.x prior to 3.1.4. It is, therefore, affected by multiple vulnerabilities : - A buffer overflow condition exists that allows a remote attacker, via a specially crafted TCP DNS query, to prevent the Recursor from properly calculating the TCP DNS query length, resulting in a denial of service condition. (CVE-2006-4251) - A denial of service vulnerability exists that allows a remote attacker, via a CNAME record with a zero TTL, to cause a resource exhaustion, resulting in an application crash. (CVE-2006-4252) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 87949 published 2016-01-15 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87949 title PowerDNS Recursor 3.x < 3.1.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87949); script_version("1.3"); script_cvs_date("Date: 2018/07/25 18:58:03"); script_cve_id("CVE-2006-4251", "CVE-2006-4252"); script_bugtraq_id(21037); script_name(english:"PowerDNS Recursor 3.x < 3.1.4 Multiple Vulnerabilities"); script_summary(english:"Checks the PowerDNS Recursor version."); script_set_attribute(attribute:"synopsis", value: "The remote name server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the version of the PowerDNS Recursor listening on the remote host is version 3.x prior to 3.1.4. It is, therefore, affected by multiple vulnerabilities : - A buffer overflow condition exists that allows a remote attacker, via a specially crafted TCP DNS query, to prevent the Recursor from properly calculating the TCP DNS query length, resulting in a denial of service condition. (CVE-2006-4251) - A denial of service vulnerability exists that allows a remote attacker, via a CNAME record with a zero TTL, to cause a resource exhaustion, resulting in an application crash. (CVE-2006-4252) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number. Also, Nessus has not checked for the presence of the patches or a workaround."); script_set_attribute(attribute:"see_also", value:"https://doc.powerdns.com/md/security/powerdns-advisory-2006-01/"); script_set_attribute(attribute:"see_also", value:"https://doc.powerdns.com/md/security/powerdns-advisory-2006-02/"); script_set_attribute(attribute:"solution", value: "Upgrade to PowerDNS Recursor 3.1.4 or later. Alternatively, apply the patch referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date",value:"2006/11/13"); script_set_attribute(attribute:"patch_publication_date",value:"2006/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/15"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:powerdns"); script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:recursor"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"DNS"); script_dependencies("pdns_version.nasl"); script_require_keys("pdns/version", "pdns/version_full", "pdns/version_source", "pdns/type", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app_name = "PowerDNS Recursor"; version_source = get_kb_item_or_exit("pdns/version_source"); version_full = get_kb_item_or_exit("pdns/version_full"); version = get_kb_item_or_exit("pdns/version"); fix = '3.1.4'; port = 53; # Only the Recursor is affected type = get_kb_item_or_exit("pdns/type"); if (type != 'recursor') audit(AUDIT_NOT_LISTEN, app_name, port, "UDP"); if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_APP_VER, app_name); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (version !~ "^3\." || (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)) audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version_full, "UDP"); if (report_verbosity > 0) { report = '\n Version source : ' + version_source + '\n Installed version : ' + version_full + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, proto:"udp", extra:report); } else security_hole(port:port, proto:"udp");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1211.NASL description It was discovered that malformed TCP packets may lead to denial of service and possibly the execution of arbitrary code if the PowerDNS nameserver acts as a recursive nameserver. last seen 2020-06-01 modified 2020-06-02 plugin id 23660 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23660 title Debian DSA-1211-1 : pdns - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1211. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(23660); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-4251"); script_xref(name:"DSA", value:"1211"); script_name(english:"Debian DSA-1211-1 : pdns - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that malformed TCP packets may lead to denial of service and possibly the execution of arbitrary code if the PowerDNS nameserver acts as a recursive nameserver." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1211" ); script_set_attribute( attribute:"solution", value: "Upgrade the PowerDNS packages. For the stable distribution (sarge) this problem has been fixed in version 2.9.17-13sarge3. For the upcoming stable distribution (etch) this problem has been fixed in version 3.1.4-1 of pdns-recursor." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pdns"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/20"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"pdns", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-backend-geo", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-backend-ldap", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-backend-mysql", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-backend-pgsql", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-backend-pipe", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-backend-sqlite", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-doc", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-recursor", reference:"2.9.17-13sarge3")) flag++; if (deb_check(release:"3.1", prefix:"pdns-server", reference:"2.9.17-13sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_070.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:070 (pdns). Two security problems that have been found in PowerDNS are fixed by this update: CVE-2006-4251: The PowerDNS Recursor can be made to crash by sending malformed questions to it over TCP potentially executing code. CVE-2006-4252: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space and crash. last seen 2019-10-28 modified 2007-02-18 plugin id 24447 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24447 title SUSE-SA:2006:070: pdns NASL family SuSE Local Security Checks NASL id SUSE_PDNS-2275.NASL description Two security problems that have been found in PowerDNS are fixed by this update : CVE-2006-4251: The PowerDNS Recursor can be made to crash by sending malformed questions to it over TCP potentially executing code. CVE-2006-4252: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash. last seen 2020-06-01 modified 2020-06-02 plugin id 27386 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27386 title openSUSE 10 Security Update : pdns (pdns-2275)
References
- http://doc.powerdns.com/powerdns-advisory-2006-01.html
- http://www.securityfocus.com/bid/21037
- http://secunia.com/advisories/22824
- http://www.debian.org/security/2006/dsa-1211
- http://lists.suse.com/archive/suse-security-announce/2006-Nov/0007.html
- http://secunia.com/advisories/22903
- http://secunia.com/advisories/22976
- http://www.vupen.com/english/advisories/2006/4484
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30270