CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
82.7%
Severity: Medium
Date : 2017-01-19
CVE-ID : CVE-2016-7068 CVE-2016-7073 CVE-2016-7074
Package : powerdns-recursor
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-148
The package powerdns-recursor before version 4.0.4-1 is vulnerable to
multiple issues including denial of service and insufficient
validation.
Upgrade to 4.0.4-1.
The problems have been fixed upstream in version 4.0.4.
None.
An issue has been found in PowerDNS allowing a remote, unauthenticated
attacker to cause an abnormal CPU usage load on the PowerDNS server by
sending crafted DNS queries, which might result in a partial denial of
service if the system becomes overloaded. This issue is based on the
fact that the PowerDNS server parses all records present in a query
regardless of whether they are needed or even legitimate. A specially
crafted query containing a large number of records can be used to take
advantage of that behaviour.
An issue has been found in PowerDNS Authoritative Server and PowerDNS
Recursor allowing an attacker in position of man-in-the-middle to alter
the content of an AXFR because of insufficient validation of TSIG
signatures. A missing check of the TSIG time and fudge values in
AXFRRetriever, leading to a possible replay attack.
An issue has been found in PowerDNS Authoritative Server and PowerDNS
Recursor allowing an attacker in position of man-in-the-middle to alter
the content of an AXFR because of insufficient validation of TSIG
signatures. A missing check that the TSIG record is the last one,
leading to the possibility of parsing records that are not covered by
the TSIG signature.
A remote attacker is able to perform a denial of service attack or
bypass certain verification possibly leading to a replay attack.
http://seclists.org/oss-sec/2017/q1/97
https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/
https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/
https://security.archlinux.org/CVE-2016-7068
https://security.archlinux.org/CVE-2016-7073
https://security.archlinux.org/CVE-2016-7074
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | powerdns-recursor | < 4.0.4-1 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
82.7%