Sign-up

ID

VAR-201907-1556


CVE

CVE-2019-10163


TITLE

PowerDNS Authoritative Server Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2019-007437

DESCRIPTION

A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue. PowerDNS Authoritative Server Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. PowerDNSAuthoritativeServer is a DNS server of the Dutch PowerDNS company. A security vulnerability exists in PowerDNSAuthoritativeServer 4.1.8 and earlier. An attacker could exploit the vulnerability by sending a large number of NOTIFY packets to cause a denial of service. PowerDNS Authoritative Server is prone to a denial-of-service vulnerability. PowerDNS Authoritative Server version 4.1.8 and prior are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4470-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 23, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pdns CVE ID : CVE-2019-10162 CVE-2019-10163 Two vulnerabilities have been discovered in pdns, an authoritative DNS server which may result in denial of service via malformed zone records and excessive NOTIFY packets in a master/slave setup. For the stable distribution (stretch), these problems have been fixed in version 4.0.3-1+deb9u5. We recommend that you upgrade your pdns packages. For the detailed security status of pdns please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdns Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl0P6LYACgkQEMKTtsN8 Tjbi2RAAqjNYSOlZ5W/yfVxGPO5OiyC8XojhGPuPdVmByyCDTqzgPtZftKHxXfD2 0sdc5/NM7ZNC/3brzRrVlMVRm7/bJvPloeDAGb8bnSzge9Nzz9FB7zcQxc5fdaqA pn7/++FWXDmOVy2NEObcerk/SodAWDpVfmIZP6kH3aIeGs0WrUA/cusmV+C94kgv 6XVJ3IW2dsIQrHvkoBMi4TJg5PrIHW0RruuJHlUSUgTusZ3XQS+hd93dciK7E+an xi0yB5oA6Mb/vw7DzlBRQfkgMiG6p9YRTgXwBdvrxqEVkNYpq9G/xH+nUdE6rDqt M3bG5tUMGCdtywwmwaSGXvkv6/5puPkMRpJIyTeVQTVYMbOgWyovC5sB5T8JytyD tW7qpbv/Mbhw0mmh0m8KoWnegNQhTTn8d3IKCxalB9JYpw3zhkHmfQW79lBRtqCy SvJEhkOVW7yhsWCl+HjKMXphsPST/oeKP3vJx4ET+4n58OfOt9Fm7rx406g2sY2o NsUwTdF3GDD00v0iuF+Vcm2nA6Qj6dOAXlp4kZygjFbDao4iF6lzY4KGDYS/Pn5Z kB4g58ShfWkAE+/WAvF8QVNcICnlI3l9SxwR2NiY/x6O53vkYBWeiJP/OvRQhlPQ Kw4enCb3qrjgb6jMNDPBMe8TjMh92sEqiXPQBy57OcStAjcfxfI= =nUCz -----END PGP SIGNATURE-----

Trust: 2.61

sources: NVD: CVE-2019-10163 // JVNDB: JVNDB-2019-007437 // CNVD: CNVD-2019-19481 // BID: 108878 // VULMON: CVE-2019-10163 // PACKETSTORM: 153381

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-19481

AFFECTED PRODUCTS

vendor:powerdnsmodel:authoritativescope:gteversion:4.1.0

Trust: 1.0

vendor:powerdnsmodel:authoritativescope:ltversion:4.0.8

Trust: 1.0

vendor:powerdnsmodel:authoritativescope:eqversion:4.1.0

Trust: 1.0

vendor:powerdnsmodel:authoritativescope:ltversion:4.1.9

Trust: 1.0

vendor:opensusemodel:backportsscope:eqversion:sle-15

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.1

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.0

Trust: 1.0

vendor:powerdnsmodel:authoritativescope:gteversion:4.0.0

Trust: 1.0

vendor:powerdnsmodel:authoritative serverscope:ltversion:4.0.8

Trust: 0.8

vendor:powerdnsmodel:authoritative serverscope:ltversion:4.1.9

Trust: 0.8

vendor:powerdnsmodel:authoritative serverscope:lteversion:<=4.1.8

Trust: 0.6

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.8

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.7

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.6

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.5

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.4

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.3

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.2

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1.1

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.1

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.7

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.6

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.5

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.4

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.3

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.2

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.1

Trust: 0.3

vendor:powerdnsmodel:authoritative server 4.0.0-rc2scope: - version: -

Trust: 0.3

vendor:powerdnsmodel:authoritative server 4.0.0-beta1scope: - version: -

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:eqversion:4.0.0

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:neversion:4.1.9

Trust: 0.3

vendor:powerdnsmodel:authoritative serverscope:neversion:4.0.8

Trust: 0.3

sources: CNVD: CNVD-2019-19481 // BID: 108878 // JVNDB: JVNDB-2019-007437 // NVD: CVE-2019-10163

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10163
value: MEDIUM

Trust: 1.0

secalert@redhat.com: CVE-2019-10163
value: LOW

Trust: 1.0

NVD: CVE-2019-10163
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-19481
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201906-866
value: MEDIUM

Trust: 0.6

VULMON: CVE-2019-10163
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10163
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-19481
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-10163
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

secalert@redhat.com: CVE-2019-10163
baseSeverity: LOW
baseScore: 3.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 2.1
impactScore: 1.4
version: 3.0

Trust: 1.0

NVD: CVE-2019-10163
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-19481 // VULMON: CVE-2019-10163 // JVNDB: JVNDB-2019-007437 // CNNVD: CNNVD-201906-866 // NVD: CVE-2019-10163 // NVD: CVE-2019-10163

PROBLEMTYPE DATA

problemtype:CWE-770

Trust: 1.0

problemtype:CWE-400

Trust: 0.8

sources: JVNDB: JVNDB-2019-007437 // NVD: CVE-2019-10163

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-866

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201906-866

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-007437

PATCH
title:PowerDNS Authoritative Server 4.0.8 and 4.1.10 Releasedurl:https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/
Trust: 0.8
title:PowerDNS Security Advisory 2019-05: Denial of service via NOTIFY packetsurl:https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html
Trust: 0.8
title:PowerDNSAuthoritativeServer denial of service vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/165551
Trust: 0.6
title:PowerDNS Authoritative Server Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94008
Trust: 0.6
title:Debian Security Advisories: DSA-4470-1 pdns -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=ef0d33d49b08fb003c26be24d917554f
Trust: 0.1
title: - url:https://github.com/Live-Hack-CVE/CVE-2019-10163 
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-19481 // 
            
            
            
            VULMON: CVE-2019-10163 // 
            
            
            
            JVNDB: JVNDB-2019-007437 // 
            
            
            
            CNNVD: CNNVD-201906-866

EXTERNAL IDS
db:NVDid:CVE-2019-10163
Trust: 3.5
db:BIDid:108878
Trust: 1.6
db:AUSCERTid:ESB-2019.2234
Trust: 1.2
db:JVNDBid:JVNDB-2019-007437
Trust: 0.8
db:PACKETSTORMid:153381
Trust: 0.7
db:CNVDid:CNVD-2019-19481
Trust: 0.6
db:AUSCERTid:ESB-2019.2436
Trust: 0.6
db:CNNVDid:CNNVD-201906-866
Trust: 0.6
db:VULMONid:CVE-2019-10163
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-19481 // 
            
            
            
            VULMON: CVE-2019-10163 // 
            
            
            
            BID: 108878 // 
            
            
            
            JVNDB: JVNDB-2019-007437 // 
            
            
            
            PACKETSTORM: 153381 // 
            
            
            
            CNNVD: CNNVD-201906-866 // 
            
            
            
            NVD: CVE-2019-10163

REFERENCES
url:https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html
Trust: 2.0
url:https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/
Trust: 1.7
url:https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-10163
Trust: 1.7
url:http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00036.html
Trust: 1.7
url:http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00054.html
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-10163
Trust: 1.5
url:http://www.debian.org/security/2019/dsa-4470
Trust: 1.3
url:https://www.auscert.org.au/bulletins/esb-2019.2234/
Trust: 1.2
url:http://www.powerdns.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10163
Trust: 0.8
url:https://www.securityfocus.com/bid/108878
Trust: 0.7
url:https://lists.debian.org/debian-lts-announce/2019/07/msg00002.html
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.2436/
Trust: 0.6
url:https://vigilance.fr/vulnerability/powerdns-denial-of-service-via-notify-packets-29602
Trust: 0.6
url:https://packetstormsecurity.com/files/153381/debian-security-advisory-4470-1.html
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/770.html
Trust: 0.1
url:https://github.com/live-hack-cve/cve-2019-10163
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://security-tracker.debian.org/tracker/pdns
Trust: 0.1
url:https://www.debian.org/security/faq
Trust: 0.1
url:https://www.debian.org/security/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-10162
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-19481 // 
            
            
            
            VULMON: CVE-2019-10163 // 
            
            
            
            BID: 108878 // 
            
            
            
            JVNDB: JVNDB-2019-007437 // 
            
            
            
            PACKETSTORM: 153381 // 
            
            
            
            CNNVD: CNNVD-201906-866 // 
            
            
            
            NVD: CVE-2019-10163

CREDITS
Debian,Gert van Dijk
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201906-866

SOURCES
db:CNVDid:CNVD-2019-19481
db:VULMONid:CVE-2019-10163
db:BIDid:108878
db:JVNDBid:JVNDB-2019-007437
db:PACKETSTORMid:153381
db:CNNVDid:CNNVD-201906-866
db:NVDid:CVE-2019-10163

LAST UPDATE DATE
2024-11-23T22:06:07.249000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-19481date:2019-06-28T00:00:00
db:VULMONid:CVE-2019-10163date:2023-02-03T00:00:00
db:BIDid:108878date:2019-06-21T00:00:00
db:JVNDBid:JVNDB-2019-007437date:2019-08-09T00:00:00
db:CNNVDid:CNNVD-201906-866date:2020-10-09T00:00:00
db:NVDid:CVE-2019-10163date:2024-11-21T04:18:33.233

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-19481date:2019-06-28T00:00:00
db:VULMONid:CVE-2019-10163date:2019-07-30T00:00:00
db:BIDid:108878date:2019-06-21T00:00:00
db:JVNDBid:JVNDB-2019-007437date:2019-08-09T00:00:00
db:PACKETSTORMid:153381date:2019-06-23T19:22:22
db:CNNVDid:CNNVD-201906-866date:2019-06-24T00:00:00
db:NVDid:CVE-2019-10163date:2019-07-30T23:15:12.263