Login Sign Up

CVE-2022-27227

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in PowerDNS Authoritative Server and Recursor allows incomplete incremental zone transfers (IXFR) to be incorrectly marked as successful due to insufficient validation of transfer end conditions. This affects organizations running vulnerable versions of PowerDNS that use IXFR for DNS zone synchronization. Attackers could exploit this to cause DNS data inconsistency between primary and secondary servers.

💻 Affected Systems

Products:
  • PowerDNS Authoritative Server
  • PowerDNS Recursor
Versions: Authoritative: before 4.4.3, 4.5.x before 4.5.4, 4.6.x before 4.6.1; Recursor: before 4.4.8, 4.5.x before 4.5.8, 4.6.x before 4.6.1
Operating Systems: All operating systems running PowerDNS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using IXFR (incremental zone transfers). Systems using only AXFR (full zone transfers) are not affected.

📦 What is this software?

Authoritative Server by Powerdns

View all CVEs affecting Authoritative Server →

Authoritative Server by Powerdns

View all CVEs affecting Authoritative Server →

Authoritative Server by Powerdns

View all CVEs affecting Authoritative Server →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Recursor by Powerdns

View all CVEs affecting Recursor →

Recursor by Powerdns

View all CVEs affecting Recursor →

Recursor by Powerdns

View all CVEs affecting Recursor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

DNS zone data corruption leading to DNS resolution failures, service disruption, or DNS cache poisoning if inconsistent data propagates through the DNS hierarchy.

🟠

Likely Case

Secondary DNS servers receiving incomplete zone data, causing DNS resolution inconsistencies and potential service availability issues for domains served by affected servers.

🟢

If Mitigated

Limited to minor DNS synchronization issues that can be detected and corrected through monitoring and manual intervention.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to trigger IXFR transfers, typically requiring access to primary DNS server or ability to manipulate zone data. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Authoritative: 4.4.3, 4.5.4, 4.6.1; Recursor: 4.4.8, 4.5.8, 4.6.1

Vendor Advisory: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html

Restart Required: Yes

Instructions:

1. Identify affected PowerDNS version. 2. Backup configuration and zone data. 3. Upgrade to patched version using package manager (apt/yum) or compile from source. 4. Restart PowerDNS service. 5. Verify zone transfers complete successfully.

🔧 Temporary Workarounds

Disable IXFR

all

Configure PowerDNS to use only AXFR (full zone transfers) instead of IXFR

# In pdns.conf: ixfr=no
# In recursor.conf: ixfr=no

Increase IXFR validation

all

Implement additional monitoring and validation of IXFR transfers

# Monitor zone serial numbers: pdns_control show-zones
# Check transfer logs regularly

🧯 If You Can't Patch

  • Implement strict monitoring of zone serial numbers and transfer logs to detect incomplete transfers
  • Configure secondary servers to perform periodic AXFR transfers to ensure data consistency

🔍 How to Verify

Check if Vulnerable:

Check PowerDNS version: pdns_server --version or pdns_recursor --version and compare against affected versions

Check Version:

pdns_server --version 2>/dev/null || pdns_recursor --version 2>/dev/null

Verify Fix Applied:

Verify version is patched and test IXFR transfers between primary and secondary servers

📡 Detection & Monitoring

Log Indicators:

  • IXFR transfer completion without proper validation
  • Zone serial number mismatches between servers
  • Unexpected zone transfer failures

Network Indicators:

  • Incomplete DNS zone data in responses
  • Inconsistent DNS records between primary and secondary servers

SIEM Query:

source="powerdns" AND ("IXFR" OR "zone transfer") AND ("incomplete" OR "failed" OR "mismatch")

📊 Metadata

CVE ID: CVE-2022-27227
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: March 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON