Resource management error in knot-resolver - CVE-2019-19331

 

Resource management error in knot-resolver - CVE-2019-19331

Published: August 3, 2020


Vulnerability identifier: #VU32984
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-19331
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: CZ-NIC
Affected software:
knot-resolver

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).


How to mitigate CVE-2019-19331

Install updates from vendor's website.

Sources