CVE-2024-25590 – Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
https://notcve.org/view.php?id=CVE-2024-25590
An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service. • https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html • CWE-20: Improper Input Validation •
CVE-2024-25583 – Crafted responses can lead to a denial of service in Recursor if recursive forwarding is configured
https://notcve.org/view.php?id=CVE-2024-25583
A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected. Una respuesta manipulada desde un servidor ascendente al que se ha configurado el recursor para reenviar puede causar una denegación de servicio en el recursor. La configuración predeterminada del Recursor no utiliza el reenvío recursivo y no se ve afectada. • http://www.openwall.com/lists/oss-security/2024/04/24/1 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html • CWE-20: Improper Input Validation •
CVE-2023-50387 – bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator
https://notcve.org/view.php?id=CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de una o más respuestas DNSSEC cuando hay una zona con muchos registros DNSKEY y RRSIG, también conocido como "KeyTrap". " asunto. La especificación del protocolo implica que un algoritmo debe evaluar todas las combinaciones de registros DNSKEY y RRSIG. Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side. This vulnerability applies only for systems where DNSSEC validation is enabled. • https://github.com/knqyf263/CVE-2023-50387 http://www.openwall.com/lists/oss-security/2024/02/16/2 http://www.openwall.com/lists/oss-security/2024/02/16/3 https://access.redhat.com/security/cve/CVE-2023-50387 https://bugzilla.suse.com/show_bug.cgi?id=1219823 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 https://kb.isc.org/docs/cve-2023-50387 https://lists • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-26437 – Deterred spoofing attempts can lead to authoritative servers being marked unavailable
https://notcve.org/view.php?id=CVE-2023-26437
Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3. • https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CN7VMRYKZHG2UDUAK326LXD3JY7NO3LR https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHPD6SIQOG7245GXFQHPUEI4AZ6Y3KD6 •
CVE-2023-22617
https://notcve.org/view.php?id=CVE-2023-22617
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1. Un atacante remoto podría provocar una recursividad infinita en PowerDNS Recursor 4.8.0 a través de una consulta DNS que recupera registros DS para un dominio mal configurado, porque la minimización de QName se utiliza en el modo de reserva de QM. Esto se solucionó en 4.8.1. • http://www.openwall.com/lists/oss-security/2023/01/20/1 https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1 https://docs.powerdns.com/recursor/security-advisories • CWE-674: Uncontrolled Recursion •