Vulnerabilities > CVE-2014-8601 - Resource Management Errors vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
debian
powerdns
CWE-399
nessus

Summary

PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-104.NASL
    descriptionFlorian Maury from ANSSI discovered a flaw in pdns-recursor, a recursive DNS server : a remote attacker controlling maliciously-constructed zones or a rogue server could affect the performance of pdns-recursor, thus leading to resource exhaustion and a potential denial of service. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-03-26
    plugin id82088
    published2015-03-26
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82088
    titleDebian DLA-104-1 : pdns-recursor security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-104-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82088);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-8601");
      script_bugtraq_id(71545);
    
      script_name(english:"Debian DLA-104-1 : pdns-recursor security update");
      script_summary(english:"Checks dpkg output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Florian Maury from ANSSI discovered a flaw in pdns-recursor, a
    recursive DNS server : a remote attacker controlling
    maliciously-constructed zones or a rogue server could affect the
    performance of pdns-recursor, thus leading to resource exhaustion and
    a potential denial of service.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2014/12/msg00007.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze-lts/pdns-recursor"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected pdns-recursor package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pdns-recursor");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"pdns-recursor", reference:"3.2-4+deb6u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-798.NASL
    descriptionThis pdns-recursor version update fixes the following security issue and non secuirty issues. Update to upstream release 3.6.2. - boo#906583: Degraded service through queries to queries to specific domains (CVE-2014-8601) - Fixed broken _localstatedir Update to upstream release 3.6.1. - gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) - g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2,
    last seen2020-06-05
    modified2014-12-23
    plugin id80211
    published2014-12-23
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80211
    titleopenSUSE Security Update : pdns-recursor (openSUSE-SU-2014:1685-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2014-798.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80211);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-8601");
    
      script_name(english:"openSUSE Security Update : pdns-recursor (openSUSE-SU-2014:1685-1)");
      script_summary(english:"Check for the openSUSE-2014-798 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This pdns-recursor version update fixes the following security issue
    and non secuirty issues.
    
    Update to upstream release 3.6.2.
    
      - boo#906583: Degraded service through queries to queries
        to specific domains (CVE-2014-8601)
    
      - Fixed broken _localstatedir
    
    Update to upstream release 3.6.1.
    
      - gab14b4f: expedite servfail generation for ezdns-like
        failures (fully abort query resolving if we hit more
        than 50 outqueries)
    
      - g42025be: PowerDNS now polls the security status of a
        release at startup and periodically. More detail on this
        feature, and how to turn it off, can be found in Section
        2, 'Security polling'.
    
      - g5027429: We did not transmit the right 'local' socket
        address to Lua for TCP/IP queries in the recursor. In
        addition, we would attempt to lookup a filedescriptor
        that wasn't there in an unlocked map which could
        conceivably lead to crashes. Closes t1828, thanks
        Winfried for reporting
    
      - g752756c: Sync embedded yahttp copy. API: Replace HTTP
        Basic auth with static key in custom header
    
      - g6fdd40d: add missing #include <pthread.h> to
        rec-channel.hh (this fixes building on OS X).
    
      - sync permissions/ownership of home and config dir with
        the pdns package
    
      - added systemd support for 12.3 and newer
    
    Update to upstrean release 3.5.3.
    
      - This is a bugfix and performance update to 3.5.2. It
        brings serious performance improvements for dual stack
        users. For all the details see
        http://doc.powerdns.com/html/changelog.html#changelog-re
        cursor-3.5.3
    
      - Remove patch (pdns-recursor-3.3_config.patch)
    
      - Add patch (pdns-recursor-3.5.3_config.patch)
    
    Update to upstrean release 3.5.2.
    
      - Responses without the QR bit set now get matched up to
        an outstanding query, so that resolution can be aborted
        early instead of waiting for a timeout.
    
      - The depth limiter changes in 3.5.1 broke some legal
        domains with lots of indirection.
    
      - Slightly improved logging to aid debugging.
    
    Update to upstream version 3.5.1.
    
      - This is a stability and bugfix update to 3.5. It
        contains important fixes that improve operation for
        certain domains. This is a stability, security and
        bugfix update to 3.3/3.3.1. It contains important fixes
        for slightly broken domain names, which your users
        expect to work anyhow. For all details see
        http://doc.powerdns.com/html/changelog.html#changelog-re
        cursor-3.5.1
    
      - adapted patches: pdns-rec-lua52.patch
        pdns-recursor-3.5.1_config.patch
    
      - fixed conditional for different lua versions
    
      - started some basic support to build packages for non
        suse distros"
      );
      # http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.1
      script_set_attribute(
        attribute:"see_also",
        value:"https://doc.powerdns.com/md/changelog/#changelog-recursor-3.5.1"
      );
      # http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.3
      script_set_attribute(
        attribute:"see_also",
        value:"https://doc.powerdns.com/md/changelog/#changelog-recursor-3.5.3"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=906583"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2014-12/msg00084.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected pdns-recursor packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pdns-recursor");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pdns-recursor-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pdns-recursor-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE12.3", reference:"pdns-recursor-3.6.2-6.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"pdns-recursor-debuginfo-3.6.2-6.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"pdns-recursor-debugsource-3.6.2-6.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"pdns-recursor-3.6.2-8.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"pdns-recursor-debuginfo-3.6.2-8.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"pdns-recursor-debugsource-3.6.2-8.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pdns-recursor / pdns-recursor-debuginfo / pdns-recursor-debugsource");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201412-33.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201412-33 (PowerDNS Recursor: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PowerDNS Recursor. Please review the CVE identifiers and PowerDNS blog post referenced below for details. Impact : A remote attacker may be able to send specially crafted packets, possibly resulting in arbitrary code execution or a Denial of Service condition. Furthermore, a remote attacker may be able to spoof DNS data. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id80210
    published2014-12-23
    reporterThis script is Copyright (C) 2014-2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80210
    titleGLSA-201412-33 : PowerDNS Recursor: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201412-33.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80210);
      script_version("$Revision: 1.4 $");
      script_cvs_date("$Date: 2017/10/02 21:12:27 $");
    
      script_cve_id("CVE-2009-4009", "CVE-2009-4010", "CVE-2012-1193", "CVE-2014-8601");
      script_bugtraq_id(37650, 37653, 59348, 71545);
      script_xref(name:"GLSA", value:"201412-33");
    
      script_name(english:"GLSA-201412-33 : PowerDNS Recursor: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201412-33
    (PowerDNS Recursor: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in PowerDNS Recursor.
          Please review the CVE identifiers and PowerDNS blog post referenced below
          for details.
      
    Impact :
    
        A remote attacker may be able to send specially crafted packets,
          possibly resulting in arbitrary code execution or a Denial of Service
          condition. Furthermore, a remote attacker may be able to spoof DNS data.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      # https://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e0bd75f6"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201412-33"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All PowerDNS Recursor users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-dns/pdns-recursor-3.6.1-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pdns-recursor");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-dns/pdns-recursor", unaffected:make_list("ge 3.6.1-r1"), vulnerable:make_list("lt 3.6.1-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PowerDNS Recursor");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3096.NASL
    descriptionFlorian Maury from ANSSI discovered a flaw in pdns-recursor, a recursive DNS server : a remote attacker controlling maliciously-constructed zones or a rogue server could affect the performance of pdns-recursor, thus leading to resource exhaustion and a potential denial-of-service.
    last seen2020-03-17
    modified2014-12-15
    plugin id79883
    published2014-12-15
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79883
    titleDebian DSA-3096-1 : pdns-recursor - security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3096. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79883);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-8601");
      script_bugtraq_id(71545);
      script_xref(name:"DSA", value:"3096");
    
      script_name(english:"Debian DSA-3096-1 : pdns-recursor - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Florian Maury from ANSSI discovered a flaw in pdns-recursor, a
    recursive DNS server : a remote attacker controlling
    maliciously-constructed zones or a rogue server could affect the
    performance of pdns-recursor, thus leading to resource exhaustion and
    a potential denial-of-service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/pdns-recursor"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2014/dsa-3096"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the pdns-recursor packages.
    
    For the stable distribution (wheezy), this problem has been fixed in
    version 3.3-3+deb7u1.
    
    For the upcoming stable distribution (jessie) and unstable
    distribution (sid), this problem has been fixed in version 3.6.2-1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pdns-recursor");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"pdns-recursor", reference:"3.3-3+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"pdns-recursor-dbg", reference:"3.3-3+deb7u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDNS
    NASL idPOWERDNS_RECURSOR_3_6_2.NASL
    descriptionAccording to its self-reported version number, the version of the PowerDNS Recursor listening on the remote host is version 3.x prior to 3.6.2. It is, therefore, affected by a denial of service vulnerability due to the lack of limiting delegation chaining. A remote attacker can exploit this vulnerability, via a large or infinite number of referrals, to cause resource exhaustion, resulting in a denial of service condition. Note that Nessus has not attempted to exploit this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id87951
    published2016-01-15
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87951
    titlePowerDNS Recursor 3.x < 3.6.2 Recursive Referral Handling DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(87951);
     script_version("1.5");
     script_cvs_date("Date: 2018/11/15 20:50:21");
    
     script_cve_id("CVE-2014-8601");
     script_bugtraq_id(71545);
     script_xref(name:"CERT", value:"264212");
    
     script_name(english:"PowerDNS Recursor 3.x < 3.6.2 Recursive Referral Handling DoS");
     script_summary(english:"Checks the PowerDNS Recursor version.");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote name server is affected by a denial of service
    vulnerability.");
     script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the version of the
    PowerDNS Recursor listening on the remote host is version 3.x prior to
    3.6.2. It is, therefore, affected by a denial of service vulnerability
    due to the lack of limiting delegation chaining. A remote attacker can
    exploit this vulnerability, via a large or infinite number of
    referrals, to cause resource exhaustion, resulting in a denial of
    service condition.
    
    Note that Nessus has not attempted to exploit this issue but has
    instead relied only on the application's self-reported version number.
    Also, Nessus has not checked for the presence of the patch.");
     script_set_attribute(attribute:"see_also", value:"https://doc.powerdns.com/md/security/powerdns-advisory-2014-02/");
     script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/264212/");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to PowerDNS Recursor 3.6.2 or later. Alternatively, apply the
    patch referenced in the vendor advisory.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date",value:"2014/12/08");
     script_set_attribute(attribute:"patch_publication_date",value:"2014/12/08");
     script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/15");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:powerdns");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:powerdns:recursor");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
    
     script_family(english:"DNS");
     script_dependencies("pdns_version.nasl");
     script_require_keys("pdns/version", "pdns/version_full", "pdns/version_source", "pdns/type", "Settings/ParanoidReport");
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    app_name = "PowerDNS Recursor";
    version_source = get_kb_item_or_exit("pdns/version_source");
    version_full = get_kb_item_or_exit("pdns/version_full");
    version = get_kb_item_or_exit("pdns/version");
    
    fix = '3.6.2';
    port = 53;
    
    # Only the Recursor is affected
    type = get_kb_item_or_exit("pdns/type");
    if (type != 'recursor') audit(AUDIT_NOT_LISTEN, app_name, port, "UDP");
    
    if (version !~ "^3\." || (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0))
      audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version_full, "UDP");
    
    if (report_verbosity > 0)
    {
      report =
        '\n  Version source    : ' + version_source +
        '\n  Installed version : ' + version_full +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_warning(port:port, proto:"udp", extra:report);
    }
    else security_warning(port:port, proto:"udp");