CVE-2017-15093

Name of the Vulnerable Software and Affected Versions: PowerDNS Recursor versions 3.x up to and including 3.7.4 PowerDNS Recursor versions 4.x up to and including 4.0.6

Description: The issue allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones when the "api-config-dir" is set to a non-empty value. It was found that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration.

Recommendations: For PowerDNS Recursor versions 3.x up to and including 3.7.4, update to a version where the validation of new netmasks and IP addresses of forwarded zones is properly implemented. For PowerDNS Recursor versions 4.x up to and including 4.0.6, update to a version where the validation of new netmasks and IP addresses of forwarded zones is properly implemented. As a temporary workaround, consider restricting access to the API configuration to minimize the risk of exploitation.