CVE-2017-15091 in Authoritative Server
Summary
by MITRE
An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/01/2021
The vulnerability identified as CVE-2017-15091 represents a critical authorization bypass flaw within PowerDNS Authoritative Server versions 3.x through 3.4.11 and 4.x through 4.0.4. This issue manifests in the API component where the system fails to properly enforce read-only configuration settings, creating a significant security risk for organizations relying on this DNS infrastructure. The flaw occurs when administrators configure the API to operate in read-only mode using the api-readonly keyword, intending to restrict administrative operations while allowing read access to DNS records and server status information.
The technical implementation of this vulnerability stems from a missing validation check within the API processing logic. When the api-readonly parameter is set, the system should prevent any operations that modify server state or trigger administrative actions. However, the PowerDNS implementation fails to consistently validate whether the current API operation is permitted under the read-only configuration. This oversight allows authenticated users with valid API credentials to execute privileged operations that should be restricted in read-only mode. The specific operations that remain executable include cache flushing, zone transfers, and NOTIFY message sending, all of which can significantly impact server performance and potentially reveal sensitive information about the DNS infrastructure.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential denial of service conditions and information disclosure risks. An attacker with valid API credentials could flush the server cache, potentially causing performance degradation or forcing the server to re-fetch records from authoritative sources, leading to increased network traffic and potential service disruption. The ability to trigger zone transfers could expose internal DNS records and server configurations to unauthorized parties, while sending NOTIFY messages could disrupt normal DNS propagation processes or provide attackers with insights into the internal DNS topology. This vulnerability directly violates the principle of least privilege and can be classified under CWE-693 Protection Mechanism Failure, as the system fails to properly enforce access controls.
Security professionals should consider this vulnerability in the context of the ATT&CK framework, particularly under the techniques related to privilege escalation and defense evasion. The vulnerability enables an attacker to perform operations that would normally require administrative privileges, effectively allowing them to bypass the intended read-only restrictions. Organizations should implement immediate mitigations including upgrading to PowerDNS versions that address this vulnerability, ensuring proper API access controls are configured, and monitoring for unauthorized API usage patterns. The recommended approach involves not only patching the software but also conducting comprehensive access control reviews to ensure that API configurations properly enforce the intended security boundaries and that no administrative operations can be executed through the API when read-only mode is enabled.