CVE-2024-25581
Transfer requests received over DoH can lead to a denial of service in DNSdist
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.
Cuando la compatibilidad con DNS entrante sobre HTTPS está habilitada mediante el proveedor nghttp2 y las consultas se enrutan a un backend solo tcp o DNS sobre TLS, un atacante puede desencadenar una falla de aserción en DNSdist enviando una solicitud de transferencia de zona (AXFR o IXFR). a través de DNS a través de HTTPS, lo que provoca que el proceso se detenga y, por lo tanto, conduce a una Denegación de Servicio. DNS sobre HTTPS no está habilitado de forma predeterminada y los servidores utilizan DNS simple (Do53) de forma predeterminada.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-02-08 CVE Reserved
- 2024-05-13 CVE Published
- 2024-05-14 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
- CAPEC-212: Functionality Misuse
References (2)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2024/05/13/1 | ||
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
PowerDNS Search vendor "PowerDNS" | DNSdist Search vendor "PowerDNS" for product "DNSdist" | 1.9.0 Search vendor "PowerDNS" for product "DNSdist" and version "1.9.0" | en |
Affected
| ||||||
PowerDNS Search vendor "PowerDNS" | DNSdist Search vendor "PowerDNS" for product "DNSdist" | 1.9.1 Search vendor "PowerDNS" for product "DNSdist" and version "1.9.1" | en |
Affected
| ||||||
PowerDNS Search vendor "PowerDNS" | DNSdist Search vendor "PowerDNS" for product "DNSdist" | 1.9.2 Search vendor "PowerDNS" for product "DNSdist" and version "1.9.2" | en |
Affected
| ||||||
PowerDNS Search vendor "PowerDNS" | DNSdist Search vendor "PowerDNS" for product "DNSdist" | 1.9.3 Search vendor "PowerDNS" for product "DNSdist" and version "1.9.3" | en |
Affected
|