Platform
linux
Component
powerdns-recursor
Opgelost in
4.1.1
CVE-2019-3807 affects PowerDNS Recursor versions 4.1.x prior to 4.1.9. This vulnerability allows an attacker to bypass DNSSEC validation, potentially leading to DNS spoofing and manipulation of DNS resolution. The issue stems from improper validation of records received from authoritative servers that do not set the AA flag. A patch is available in version 4.1.9.
Successful exploitation of CVE-2019-3807 enables an attacker to bypass DNSSEC validation, effectively undermining the security of DNS resolution. This could allow an attacker to redirect users to malicious websites, intercept sensitive data transmitted over DNS, or perform other DNS-based attacks. The impact is particularly severe for organizations relying on DNSSEC to ensure the integrity of their DNS data. While the CVSS score is LOW, the potential for widespread impact through DNS manipulation warrants attention.
CVE-2019-3807 was publicly disclosed on January 29, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is available, demonstrating the feasibility of exploiting the bypass. The vulnerability is not currently listed on CISA KEV.
Organizations heavily reliant on DNSSEC for security and those running older versions of PowerDNS Recursor (4.1.0 - 4.1.8) are at increased risk. Shared hosting environments utilizing vulnerable PowerDNS Recursor instances are also particularly susceptible.
• linux / server:
journalctl -u pdnsrecursor | grep -i "dnssec validation"• linux / server:
ps aux | grep pdnsrecursor• generic web: Check DNS server logs for unusual query patterns or responses from authoritative servers without the AA flag.
disclosure
Exploit Status
EPSS
0.00% (0% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-3807 is to upgrade PowerDNS Recursor to version 4.1.9 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting queries from untrusted authoritative servers or implementing stricter DNSSEC validation policies. Monitor DNS logs for suspicious activity and consider implementing intrusion detection systems (IDS) to identify potential exploitation attempts. After upgrade, confirm by querying authoritative servers without the AA flag and verifying DNSSEC validation is enforced.
Actualice PowerDNS Recursor a la versión 4.1.9 o superior. Esta versión corrige la validación incorrecta de registros DNSSEC en respuestas de servidores autoritativos, evitando la posible manipulación de la resolución DNS.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-3807 is a vulnerability in PowerDNS Recursor versions 4.1.x before 4.1.9 that allows attackers to bypass DNSSEC validation due to improper record validation.
You are affected if you are running PowerDNS Recursor versions 4.1.0 through 4.1.8. Upgrade to 4.1.9 to resolve the issue.
Upgrade PowerDNS Recursor to version 4.1.9 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting queries from untrusted servers.
There is no current evidence of active exploitation campaigns targeting CVE-2019-3807, although a public PoC exists.
Refer to the PowerDNS security advisory for details: https://www.powerdns.com/security/advisory/pdns-2019-001/
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.