Source: cve@mitre.org
The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
PowerDNS versions 2.9.16 and earlier are vulnerable to a denial-of-service (DoS) attack due to a flaw in how they handle compressed DNS packets. Attackers can craft malicious DNS queries that cause the server to enter an infinite loop, rendering it unavailable. This vulnerability can disrupt critical network services and impact business operations.
Step 1: Malicious Packet Creation: The attacker crafts a DNS query packet. This packet is designed to exploit the vulnerability in PowerDNS's DNS packet parsing logic.
Step 2: Compressed Label Manipulation: The attacker includes a compressed label within the DNS query. The compressed label contains an offset value that points to an invalid location, such as the beginning of the label itself or a location that creates a circular reference.
Step 3: Query Submission: The attacker sends the crafted DNS query to a PowerDNS server.
Step 4: Parsing and Infinite Loop: The PowerDNS server receives the malicious packet and begins to parse it. Due to the invalid offset in the compressed label, the parsing logic enters an infinite loop, repeatedly attempting to resolve the invalid reference. This consumes CPU resources.
Step 5: Denial of Service: The infinite loop consumes server resources, preventing the server from responding to legitimate DNS queries. This results in a denial-of-service condition, making the server unavailable.
The vulnerability lies within PowerDNS's DNS packet parsing logic, specifically in the handling of compressed labels. The software incorrectly validates the offset value within a compressed label, allowing an attacker to craft a packet with an invalid offset that points back to the beginning of the label or to itself. This causes the parsing routine to enter an infinite loop while attempting to resolve the DNS query, consuming CPU resources and preventing the server from processing legitimate requests. The root cause is a lack of bounds checking on the offset value used in the DNS packet decompression algorithm, leading to a logic error and ultimately a denial-of-service condition. The vulnerability is not a buffer overflow or memory corruption issue, but rather a flaw in the control flow of the DNS parsing process.
While no specific APTs are directly linked to this specific CVE, the ease of exploitation makes it a potential target for any attacker seeking to disrupt network services. This vulnerability could be used by threat actors to disrupt critical infrastructure or to facilitate other attacks. CISA KEV status: Not Listed.
Monitor DNS server CPU utilization for sustained high levels, especially during periods of low legitimate traffic.
Analyze DNS server logs for repeated error messages related to packet parsing or decompression errors.
Network traffic analysis: Look for unusual DNS queries with malformed compressed labels. Tools like Wireshark can be used to inspect DNS packets.
Implement intrusion detection systems (IDS) with rules that identify DNS packets with invalid compressed label offsets.
Monitor for a sudden increase in DNS query volume from a single source IP address.
Upgrade to a patched version of PowerDNS (2.9.17 or later).
Implement rate limiting on DNS queries to mitigate the impact of a DoS attack.
Configure firewalls to restrict DNS traffic to trusted sources.
Regularly monitor DNS server logs for suspicious activity.
Consider using a DNS caching server in front of the PowerDNS server to filter malicious traffic.
Implement a web application firewall (WAF) to filter malicious DNS traffic.