Lucene search

FreeBSDF2D8342F-1134-11EF-8791-6805CA2FA271

HistoryMay 13, 2024 - 12:00 a.m.

dnsdist -- Transfer requests received over DoH can lead to a denial of service

2024-05-1300:00:00

vuxml.freebsd.org

dnsdist

denial of service

dns over https

security advisory

axfr

ixfr

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

PowerDNS Security Advisory reports:

When incoming DNS over HTTPS support is enabled using the nghttp2 provider,
and queries are routed to a tcp-only or DNS over TLS backend, an attacker can
trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR
or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a
Denial of Service. DNS over HTTPS is not enabled by default, and backends are using
plain DNS (Do53) by default.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchdnsdist< 1.9.4UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	dnsdist	< 1.9.4	UNKNOWN

References

dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for F2D8342F-1134-11EF-8791-6805CA2FA271