Sign-up

ID

VAR-201609-0049


CVE

CVE-2016-6172


TITLE

PowerDNS Authoritative Server Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2016-005033

DESCRIPTION

PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response. Supplementary information : CWE Vulnerability type by CWE-400: Uncontrolled Resource Consumption ( Resource depletion ) Has been identified. Multiple DNS Servers are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users

Trust: 1.89

sources: NVD: CVE-2016-6172 // JVNDB: JVNDB-2016-005033 // BID: 91678

AFFECTED PRODUCTS

vendor:opensusemodel:opensusescope:eqversion:13.2

Trust: 1.8

vendor:opensusemodel:leapscope:eqversion:42.1

Trust: 1.8

vendor:powerdnsmodel:authoritative serverscope:lteversion:4.0.0

Trust: 1.0

vendor:powerdnsmodel:authoritative serverscope:ltversion:4.0.1

Trust: 0.8

vendor:novellmodel:leapscope:eqversion:42.1

Trust: 0.6

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.0

Trust: 0.6

vendor:powerdnsmodel:authoritative serverscope:eqversion:3.4.7

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:3.4.6

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:3.4.5

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:3.4.4

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:3.4

Trust: 0.3

vendor:nsdmodel:nsdscope:eqversion:0

Trust: 0.3

vendor:knotmodel:dns knot dnsscope:eqversion:0

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:neversion:4.0.0

Trust: 0.3

sources: BID: 91678 // JVNDB: JVNDB-2016-005033 // CNNVD: CNNVD-201607-080 // NVD: CVE-2016-6172

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-6172
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-6172
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201607-080
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2016-6172
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2016-6172
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 4.0
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2016-005033 // CNNVD: CNNVD-201607-080 // NVD: CVE-2016-6172

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2016-005033 // NVD: CVE-2016-6172

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-080

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201607-080

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005033

PATCH
title:Add limits to the size of received AXFR, in megabytes #4134url:https://github.com/PowerDNS/pdns/pull/4134
Trust: 0.8
title:xfer size issue #4128url:https://github.com/PowerDNS/pdns/issues/4128
Trust: 0.8
title:Add limits to the size of received {A,I}XFR, in megabytes #4133url:https://github.com/PowerDNS/pdns/pull/4133
Trust: 0.8
title:openSUSE-SU-2016:2116url:https://lists.opensuse.org/opensuse-updates/2016-08/msg00085.html
Trust: 0.8
title:PowerDNS Authoritative Server 4.0.1url:https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-401
Trust: 0.8
title:PowerDNS Remediation measures for denial of service vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62672
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-005033 // 
            
            
            
            CNNVD: CNNVD-201607-080

EXTERNAL IDS
db:NVDid:CVE-2016-6172
Trust: 2.7
db:OPENWALLid:OSS-SECURITY/2016/07/06/3
Trust: 1.6
db:BIDid:91678
Trust: 1.3
db:SECTRACKid:1036242
Trust: 1.0
db:JVNDBid:JVNDB-2016-005033
Trust: 0.8
db:CNNVDid:CNNVD-201607-080
Trust: 0.6
sources:
            
            
            BID: 91678 // 
            
            
            
            JVNDB: JVNDB-2016-005033 // 
            
            
            
            CNNVD: CNNVD-201607-080 // 
            
            
            
            NVD: CVE-2016-6172

REFERENCES
url:https://github.com/sischkg/xfer-limit/blob/master/readme.md
Trust: 1.9
url:http://www.openwall.com/lists/oss-security/2016/07/06/3
Trust: 1.6
url:https://github.com/powerdns/pdns/issues/4128
Trust: 1.6
url:http://lists.opensuse.org/opensuse-updates/2016-08/msg00085.html
Trust: 1.6
url:https://github.com/powerdns/pdns/issues/4133
Trust: 1.6
url:https://lists.dns-oarc.net/pipermail/dns-operations/2016-july/015058.html
Trust: 1.6
url:https://github.com/powerdns/pdns/pull/4134
Trust: 1.6
url:https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-401
Trust: 1.6
url:http://www.debian.org/security/2016/dsa-3664
Trust: 1.0
url:http://www.securitytracker.com/id/1036242
Trust: 1.0
url:http://www.securityfocus.com/bid/91678
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6172
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6172
Trust: 0.8
url:https://github.com/powerdns/pdns/pull/4133
Trust: 0.3
url:https://lists.dns-oarc.net/pipermail/dns-operations/2016-july/015073.html
Trust: 0.3
sources:
            
            
            BID: 91678 // 
            
            
            
            JVNDB: JVNDB-2016-005033 // 
            
            
            
            CNNVD: CNNVD-201607-080 // 
            
            
            
            NVD: CVE-2016-6172

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 91678

SOURCES
db:BIDid:91678
db:JVNDBid:JVNDB-2016-005033
db:CNNVDid:CNNVD-201607-080
db:NVDid:CVE-2016-6172

LAST UPDATE DATE
2024-11-23T20:17:29.581000+00:00

SOURCES UPDATE DATE
db:BIDid:91678date:2016-07-07T00:00:00
db:JVNDBid:JVNDB-2016-005033date:2016-10-04T00:00:00
db:CNNVDid:CNNVD-201607-080date:2016-09-27T00:00:00
db:NVDid:CVE-2016-6172date:2024-11-21T02:55:35.990

SOURCES RELEASE DATE
db:BIDid:91678date:2016-07-07T00:00:00
db:JVNDBid:JVNDB-2016-005033date:2016-10-04T00:00:00
db:CNNVDid:CNNVD-201607-080date:2016-07-07T00:00:00
db:NVDid:CVE-2016-6172date:2016-09-26T16:59:04.947