CVE-2017-15120 in PowerDNS Recursor
Summary
by MITRE
An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a denial of service.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/27/2023
The vulnerability identified as CVE-2017-15120 represents a critical NULL pointer dereference flaw in PowerDNS Recursor versions prior to 4.0.8, specifically affecting the authoritative answer parsing mechanism. This issue stems from inadequate validation of DNS response structures when processing specially crafted DNS answers that contain CNAME records with class identifiers that differ from the standard IN class. The flaw manifests when the recursor attempts to parse authoritative responses that include CNAME records with non-standard class values, creating a scenario where memory access occurs without proper null checks.
The technical implementation of this vulnerability involves the recursor's DNS parsing logic failing to properly validate the class field within CNAME resource records during authoritative answer processing. When a maliciously crafted DNS response is received with a CNAME record where the class field does not match the expected IN class, the parsing routine attempts to dereference a null pointer, resulting in an immediate crash of the recursor process. This behavior aligns with CWE-476, which describes NULL pointer dereference vulnerabilities, and represents a classic example of improper input validation in network protocol handlers. The vulnerability operates at the application layer of the network stack and specifically targets the DNS recursive resolution functionality.
The operational impact of this vulnerability extends beyond simple service disruption, as it enables unauthenticated remote attackers to execute a denial of service attack against PowerDNS Recursor instances. An attacker can craft malicious DNS responses that, when processed by the vulnerable recursor, cause immediate process termination and subsequent service unavailability. This creates a persistent threat vector where network infrastructure relying on PowerDNS Recursor for DNS resolution becomes vulnerable to sustained denial of service attacks. The attack requires minimal privileges and can be executed from any network location, making it particularly dangerous for public-facing DNS infrastructure. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under the 'Denial of Service' category, specifically targeting network infrastructure components.
Mitigation strategies for CVE-2017-15120 primarily focus on immediate software updates to PowerDNS Recursor version 4.0.8 or later, which includes proper validation of CNAME class fields during authoritative answer parsing. Organizations should also implement network-level monitoring to detect anomalous DNS response patterns that may indicate exploitation attempts. Additional defensive measures include implementing DNS response validation policies, deploying rate limiting mechanisms to reduce the impact of potential attacks, and ensuring proper network segmentation to limit exposure of vulnerable recursor instances. Security teams should also consider implementing intrusion detection systems capable of identifying malicious DNS traffic patterns associated with this specific vulnerability, as the attack vector relies on crafting specific DNS responses that deviate from standard protocol behavior.