#VU32984 Resource management error in knot-resolver - CVE-2019-19331

Cybersecurity Help s.r.o.

Published: 2020-08-03

Vulnerability identifier: #VU32984

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-19331

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
knot-resolver
Other software / Other software solutions

Vendor: CZ-NIC

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

knot-resolver: 1.0.0 - 4.2.2

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19331
https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for knot-resolver

Denial of service in knot-resolver

Resource management error in knot-resolver (Alpine package)

Fedora EPEL 7 update for knot-resolver

Fedora 30 update for knot-resolver

Fedora 31 update for knot-resolver