Ubuntu update for knot-resolver



Published: 2024-10-02
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2019-10190
CVE-2019-10191
CVE-2019-19331
CVE-2020-12667
CWE-ID CWE-20
CWE-399
CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Ubuntu
Operating systems & Components / Operating system

knot-resolver (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU30985

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10190

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.

Mitigation

Update the affected package knot-resolver to the latest version.

Vulnerable software versions

Ubuntu: 20.04

knot-resolver (Ubuntu package): before 3.2.1-3ubuntu2.2

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7047-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU22593

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10191

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to hijack domain on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in DNS resolver. A remote attacker can downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol.

Mitigation

Update the affected package knot-resolver to the latest version.

Vulnerable software versions

Ubuntu: 20.04

knot-resolver (Ubuntu package): before 3.2.1-3ubuntu2.2

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7047-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Resource management error

EUVDB-ID: #VU32984

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19331

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

Mitigation

Update the affected package knot-resolver to the latest version.

Vulnerable software versions

Ubuntu: 20.04

knot-resolver (Ubuntu package): before 3.2.1-3ubuntu2.2

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7047-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource exhaustion

EUVDB-ID: #VU29248

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-12667

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing NSDNAME in NS records. A remote attacker can perform traffic amplification via a crafted DNS answer from an attacker-controlled server. This vulnerability is dubbed "NXNSAttack".

Mitigation

Update the affected package knot-resolver to the latest version.

Vulnerable software versions

Ubuntu: 20.04

knot-resolver (Ubuntu package): before 3.2.1-3ubuntu2.2

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7047-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###