Platform
linux
Component
powerdns-recursor
Fixed in
4.1.1
CVE-2019-3807 affects PowerDNS Recursor versions 4.1.x prior to 4.1.9. This vulnerability allows an attacker to bypass DNSSEC validation, potentially leading to DNS spoofing and manipulation of DNS resolution. The issue stems from improper validation of records received from authoritative servers that do not set the AA flag. A patch is available in version 4.1.9.
Successful exploitation of CVE-2019-3807 enables an attacker to bypass DNSSEC validation, effectively undermining the security of DNS resolution. This could allow an attacker to redirect users to malicious websites, intercept sensitive data transmitted over DNS, or perform other DNS-based attacks. The impact is particularly severe for organizations relying on DNSSEC to ensure the integrity of their DNS data. While the CVSS score is LOW, the potential for widespread impact through DNS manipulation warrants attention.
CVE-2019-3807 was publicly disclosed on January 29, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is available, demonstrating the feasibility of exploiting the bypass. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.00% (0% percentile)
CVSS Vector
The primary mitigation for CVE-2019-3807 is to upgrade PowerDNS Recursor to version 4.1.9 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting queries from untrusted authoritative servers or implementing stricter DNSSEC validation policies. Monitor DNS logs for suspicious activity and consider implementing intrusion detection systems (IDS) to identify potential exploitation attempts. After upgrade, confirm by querying authoritative servers without the AA flag and verifying DNSSEC validation is enforced.
Update PowerDNS Recursor to version 4.1.9 or higher. This version corrects the incorrect validation of DNSSEC records in responses from authoritative servers, preventing potential DNS resolution manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-3807 is a vulnerability in PowerDNS Recursor versions 4.1.x before 4.1.9 that allows attackers to bypass DNSSEC validation due to improper record validation.
You are affected if you are running PowerDNS Recursor versions 4.1.0 through 4.1.8. Upgrade to 4.1.9 to resolve the issue.
Upgrade PowerDNS Recursor to version 4.1.9 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting queries from untrusted servers.
There is no current evidence of active exploitation campaigns targeting CVE-2019-3807, although a public PoC exists.
Refer to the PowerDNS security advisory for details: https://www.powerdns.com/security/advisory/pdns-2019-001/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.