CVE-2016-7068

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour.

Se ha descubierto un problema en PowerDNS en versiones anteriores a la 3.4.11 y 4.0.2, y PowerDNS recursor en versiones anteriores a la 3.7.4 y 4.0.4, que permite que un atacante no autenticado remoto provoque una carga de uso de CPU anormal en el servidor de PowerDNS mediante el envío de consultas DNS manipuladas, lo que podría resultar en una denegación de servicio (DoS) parcial si el sistema se sobrecarga. Este problema se basa en el hecho de que el servidor de PowerDNS analiza todos los registros presentes en una consulta, independientemente de si se necesitan o incluso si son legítimos. Una consulta especialmente manipulada que contiene un gran número de registros puede emplearse para aprovecharse de este comportamiento.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-08-23 CVE Reserved
2017-01-15 CVE Published
2023-09-05 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-400: Uncontrolled Resource Consumption

CAPEC

References (4)

URL	Tag	Source
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7068	Issue Tracking

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://doc.powerdns.com/md/security/powerdns-advisory-2016-02	2019-10-09
https://www.debian.org/security/2017/dsa-3763	2019-10-09
https://www.debian.org/security/2017/dsa-3764	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Powerdns Search vendor "Powerdns"		Authoritative Search vendor "Powerdns" for product "Authoritative"				< 3.4.11 Search vendor "Powerdns" for product "Authoritative" and version " < 3.4.11"		-		Affected
Powerdns Search vendor "Powerdns"		Authoritative Search vendor "Powerdns" for product "Authoritative"				>= 4.0.0 < 4.0.2 Search vendor "Powerdns" for product "Authoritative" and version " >= 4.0.0 < 4.0.2"		-		Affected
Powerdns Search vendor "Powerdns"		Recursor Search vendor "Powerdns" for product "Recursor"				< 3.7.4 Search vendor "Powerdns" for product "Recursor" and version " < 3.7.4"		-		Affected
Powerdns Search vendor "Powerdns"		Recursor Search vendor "Powerdns" for product "Recursor"				>= 4.0.0 < 4.0.4 Search vendor "Powerdns" for product "Recursor" and version " >= 4.0.0 < 4.0.4"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected