This document is about PowerDNS 4.0. For other versions, please see the documentation index.
PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
- CVE: CVE-2009-4009
- Date: 6th of January 2010
- Affects: PowerDNS Recursor 3.1.7.1 and earlier
- Not affected: No versions of the PowerDNS Authoritative ('pdns_server') are affected.
- Severity: Critical
- Impact: Denial of Service, possible full system compromise
- Exploit: Withheld
- Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
- Workaround: None. The risk of exploitation or denial of service can be decreased slightly by using the
allow-fromsetting to only provide service to known users. The risk of a full system compromise can be reduced by running with a suitable reduced privilege user and group settings, and possibly chroot environment.
Using specially crafted packets, it is possible to force a buffer overflow in the PowerDNS Recursor, leading to a crash.
This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in improving PowerDNS security.