#VU32140 Input validation error in PowerDNS - CVE-2016-7074
Published: September 11, 2018 / Updated: July 28, 2020
Vulnerability identifier: #VU32140
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-7074
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PowerDNS
PowerDNS
Software vendor:
PowerDNS.COM B.V.
PowerDNS.COM B.V.
Description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature.
Remediation
Install update from vendor's website.