#VU111724 Resource management error in PowerDNS Recursor and PowerDNS Authoritative - CVE-2015-1868

Cybersecurity Help s.r.o.

Published: 2016-12-28 | Updated: 2025-06-21

Vulnerability identifier: #VU111724

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-1868

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PowerDNS Recursor
Server applications / DNS servers
PowerDNS Authoritative
Server applications / DNS servers

Vendor: PowerDNS.COM B.V.

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PowerDNS Recursor: 3.3, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.6.0, 3.6.1, 3.6.2, 3.7.1

PowerDNS Authoritative: 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3

External links
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156648.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156655.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156667.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156680.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156725.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156743.html
https://www.debian.org/security/2015/dsa-3306
https://www.debian.org/security/2015/dsa-3307
https://www.securityfocus.com/bid/74306
https://www.securitytracker.com/id/1032220