SB2024100201 - Ubuntu update for knot-resolver

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024100201

SB2024100201 - Ubuntu update for knot-resolver

Published: October 2, 2024

Security Bulletin ID SB2024100201
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2019-10190)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.


2) Input validation error (CVE-ID: CVE-2019-10191)

The vulnerability allows a remote attacker to hijack domain on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in DNS resolver. A remote attacker can downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol.


3) Resource management error (CVE-ID: CVE-2019-19331)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).


4) Resource exhaustion (CVE-ID: CVE-2020-12667)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing NSDNAME in NS records. A remote attacker can perform traffic amplification via a crafted DNS answer from an attacker-controlled server. This vulnerability is dubbed "NXNSAttack".


Remediation

Install update from vendor's website.

References