Resource management error in knot-resolver - CVE-2019-19331
Published: August 3, 2020
Vulnerability identifier: #VU32984
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-19331
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
knot-resolver
knot-resolver
Software vendor:
CZ-NIC
CZ-NIC
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).
Remediation
Install updates from vendor's website.