Several Vulnerabilities Patched in PowerDNS

Updates released for the authoritative nameserver and recursive nameserver components of PowerDNS patch several vulnerabilities that can be exploited for denial-of-service (DoS) attacks, records manipulation, modifying configurations, and cross-site scripting (XSS) attacks.
PowerDNS Recursor versions 4.0.0 through 4.0.6 are affected by a DNSSEC validation issue that can be exploited by a man-in-the-middle (MitM) attacker to forge signatures and alter DNS records (CVE-2017-15090).

Another flaw affecting these versions of Recursor is CVE-2017-15092, an XSS bug that allows a remote attacker to inject arbitrary HTML and JavaScript code into the Recursor web interface. The security hole can be exploited by sending specially crafted DNS queries to the server in order to alter the web interface or cause it to enter a DoS condition.
The Recursor is also impacted by a vulnerability that allows an authenticated attacker to inject new directives into its configuration (CVE-2017-15093). The last issue affecting this component is a DoS flaw caused by a memory leak that can occur when parsing specially crafted DNSSEC ECDSA keys (CVE-2017-15094). The vulnerability can be exploited by using an authoritative server to send specially crafted keys to the recursor.
存储有重要数据的电脑设备丢失了,往往人们过度关注设备本身的价值,其实,对于电脑的主人,数据要较设备更有价值,数据的不当外漏可能会给自己带来严重的灾难。
天威视讯力推智能家居
The only security hole affecting PowerDNS Authoritative versions 4.0.4, 3.4.11 and prior is CVE-2017-15091, which allows an authenticated attacker to cause a DoS condition.
The vulnerabilities have been rated medium and low severity as they do not impact default configurations. Patches are included in PowerDNS Authoritative 4.0.5 and Recursor 4.0.7. Minimal fixes have also been provided for the 3.4.11 and 3.7.4 releases, but users of these versions have been advised to migrate to the 4.x branch.
These security holes were discovered by Finland-based cybersecurity services company Nixu during a source code audit, Chris Navarrete of Fortinet’s Fortiguard Labs, Kees Monshouwer, and a researcher who uses the online moniker “everyman.”
Related: Google Finds Flaws in Dnsmasq Network Services Tool
Related: Authentication Bypass Flaw Patched in BIND, Knot DNS
Related: Potentially Serious DoS Flaw Patched in BIND
计算机及网络技术在行业的应用范围越来越广,信息化已经渗透到了几乎所有业务流。如何建立一个安全可靠的网络信息系统就成为我们必需探讨的问题。

猜您喜欢

【原创信息】安全意识不松懈 隐患排查不怠慢
安全沟通门户建设
网络安全法宣传推广视频 004《网络安全法》的突出亮点
全国检察已提起公益诉讼15件
ZORGHART FELLSWATER
安全月安全周安全意识宣传——移动支付中间人攻击防范