Severity: Low
Date : 2022-04-15
CVE-ID : CVE-2022-27227
Package : powerdns-recursor
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2656
The package powerdns-recursor before version 4.6.1-1 is vulnerable to
denial of service.
Upgrade to 4.6.1-1.
The problem has been fixed upstream in version 4.6.1.
None.
A denial of service issue has been found in PowerDNS Authoritative
Server and PowerDNS Recursor before 4.6.1.
IXFR usually exchanges only the modifications between two versions of a
zone, but sometimes needs to fall back to a full transfer of the
current version. When IXFR falls back to a full zone transfer, an
attacker in position of man-in-the-middle can cause the transfer to be
prematurely interrupted. This interrupted transfer is mistakenly
interpreted as a complete transfer, causing an incomplete zone to be
processed. For the Authoritative Server, IXFR transfers are not enabled
by default. The Recursor only uses IXFR for retrieving RPZ zones. An
incomplete RPZ transfer results in missing policy entries, potentially
causing some DNS names and IP addresses to not be properly intercepted.
An attacker-in-the-middle might be able to cause an incomplete RPZ
transfer, resulting in missing policy entries, potentially causing
some DNS names and IP addresses to not be properly intercepted.
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html
https://security.archlinux.org/CVE-2022-27227
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | powerdns-recursor | < 4.6.1-1 | UNKNOWN |