Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-201811-12
HistoryNov 12, 2018 - 12:00 a.m.

[ASA-201811-12] powerdns: denial of service

2018-11-1200:00:00
security.archlinux.org
7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

74.7%

JSON

Arch Linux Security Advisory ASA-201811-12

Severity: Medium
Date : 2018-11-12
CVE-ID : CVE-2018-10851 CVE-2018-14626
Package : powerdns
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-804

Summary

The package powerdns before version 4.1.5-1 is vulnerable to denial of
service.

Resolution

Upgrade to 4.1.5-1.

pacman -Syu “powerdns>=4.1.5-1”

The problems have been fixed upstream in version 4.1.5.

Workaround

None.

Description

  • CVE-2018-10851 (denial of service)

An issue has been found in PowerDNS Authoritative Server before 4.1.5
and PowerDNS Recursor before 4.1.5. The issue is due to the fact that
some memory is allocated before the parsing and is not always properly
released if the record is malformed.
In the authoritative server case, it allows an authorized user to cause
a memory leak by inserting a specially crafted record in a zone under
their control, then sending a DNS query for that record. In the case of
the recursor, it allows a malicious authoritative server to cause a
memory leak by sending specially crafted records.

  • CVE-2018-14626 (denial of service)

An issue has been found in PowerDNS Authoritative Server before 4.1.5
and PowerDNS Recursor before 4.1.5, allowing a remote user to craft a
DNS query that will cause an answer without DNSSEC records to be
inserted into the packet cache and be returned to clients asking for
DNSSEC records, thus hiding the presence of DNSSEC signatures for a
specific qname and qtype. For a DNSSEC-signed domain, this means that
DNSSEC validating clients will consider the answer to be bogus until it
expires from the packet cache, leading to a denial of service.

Impact

A remote attacker might be able to use crafted queries to crash the
PowerDNS server or force it to serve answers without DNSSEC-related
records to DNSSEC-enabled queries, causing validation failures.

References

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html
https://security.archlinux.org/CVE-2018-10851
https://security.archlinux.org/CVE-2018-14626

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanypowerdns< 4.1.5-1UNKNOWN

Related

nessus 13
suse 8
openvas 23
fedora 11
mageia 2
freebsd 2
archlinux 1
prion 2
veracode 2
osv 2
cve 2
debiancve 2
ubuntucve 2
alpinelinux 2
nessus
nessus
openSUSE Security Update : pdns (openSUSE-2019-989)
2019-03-27 00:00:00
openSUSE Security Update : pdns (openSUSE-2018-1566)
2018-12-18 00:00:00
Fedora 28 : pdns (2018-2ff7cdbb7b)
2019-01-03 00:00:00
suse
suse
Security update for pdns (moderate)
2018-12-18 18:09:11
Security update for pdns (moderate)
2018-12-12 09:41:14
Security update for pdns (moderate)
2018-12-17 21:12:29
openvas
openvas
openSUSE: Security Advisory for pdns (openSUSE-SU-2018:4156-1)
2018-12-18 00:00:00
Mageia: Security Advisory (MGASA-2019-0008)
2022-01-28 00:00:00
openSUSE: Security Advisory for pdns (openSUSE-SU-2018:4156-1)
2018-12-18 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: pdns-4.1.5-1.fc29
2018-11-16 04:49:30
[SECURITY] Fedora 28 Update: pdns-4.1.5-1.fc28
2018-11-16 02:58:13
[SECURITY] Fedora 29 Update: pdns-4.1.7-1.fc29
2019-03-27 15:02:18
mageia
mageia
Updated pdns packages fix security vulnerabilities
2019-01-05 21:30:16
Updated pdns-recursor packages fix security vulnerabilities
2019-01-05 21:30:16
freebsd
freebsd
powerdns -- Multiple vulnerabilities
2018-11-06 00:00:00
powerdns-recursor -- Multiple vulnerabilities
2018-11-06 00:00:00
archlinux
archlinux
[ASA-201811-13] powerdns-recursor: denial of service
2018-11-12 00:00:00
prion
prion
Memory corruption
2018-11-29 18:29:00
Denial of service
2018-11-29 18:29:00
veracode
veracode
Denial Of Service (DoS)
2020-08-06 21:38:04
Denial Of Service (DoS)
2020-08-06 21:33:06
osv
osv
CVE-2018-10851
2018-11-29 18:29:00
CVE-2018-14626
2018-11-29 18:29:00
cve
cve
CVE-2018-10851
2018-11-29 18:29:00
CVE-2018-14626
2018-11-29 18:29:00
debiancve
debiancve
CVE-2018-10851
2018-11-29 18:29:00
CVE-2018-14626
2018-11-29 18:29:00
ubuntucve
ubuntucve
CVE-2018-10851
2018-11-29 00:00:00
CVE-2018-14626
2018-11-29 00:00:00
alpinelinux
alpinelinux
CVE-2018-14626
2018-11-29 18:29:00
CVE-2018-10851
2018-11-29 18:29:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

74.7%

JSON
Related for ASA-201811-12
nessus13suse8openvas23fedora11mageia2freebsd2archlinux1prion2veracode2osv2cve2debiancve2ubuntucve2alpinelinux2