平台
linux
组件
powerdns-recursor
修复版本
4.1.1
CVE-2019-3807 affects PowerDNS Recursor versions 4.1.x prior to 4.1.9. This vulnerability allows an attacker to bypass DNSSEC validation, potentially leading to DNS spoofing and manipulation of DNS resolution. The issue stems from improper validation of records received from authoritative servers that do not set the AA flag. A patch is available in version 4.1.9.
Successful exploitation of CVE-2019-3807 enables an attacker to bypass DNSSEC validation, effectively undermining the security of DNS resolution. This could allow an attacker to redirect users to malicious websites, intercept sensitive data transmitted over DNS, or perform other DNS-based attacks. The impact is particularly severe for organizations relying on DNSSEC to ensure the integrity of their DNS data. While the CVSS score is LOW, the potential for widespread impact through DNS manipulation warrants attention.
CVE-2019-3807 was publicly disclosed on January 29, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is available, demonstrating the feasibility of exploiting the bypass. The vulnerability is not currently listed on CISA KEV.
Organizations heavily reliant on DNSSEC for security and those running older versions of PowerDNS Recursor (4.1.0 - 4.1.8) are at increased risk. Shared hosting environments utilizing vulnerable PowerDNS Recursor instances are also particularly susceptible.
• linux / server:
journalctl -u pdnsrecursor | grep -i "dnssec validation"• linux / server:
ps aux | grep pdnsrecursor• generic web: Check DNS server logs for unusual query patterns or responses from authoritative servers without the AA flag.
disclosure
漏洞利用状态
EPSS
0.00% (0% 百分位)
CVSS 向量
The primary mitigation for CVE-2019-3807 is to upgrade PowerDNS Recursor to version 4.1.9 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting queries from untrusted authoritative servers or implementing stricter DNSSEC validation policies. Monitor DNS logs for suspicious activity and consider implementing intrusion detection systems (IDS) to identify potential exploitation attempts. After upgrade, confirm by querying authoritative servers without the AA flag and verifying DNSSEC validation is enforced.
将 PowerDNS Recursor 更新到 4.1.9 或更高版本。此版本修复了权威服务器响应中 DNSSEC 记录的验证不正确的问题,从而避免了 DNS 解析可能被篡改。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-3807 is a vulnerability in PowerDNS Recursor versions 4.1.x before 4.1.9 that allows attackers to bypass DNSSEC validation due to improper record validation.
You are affected if you are running PowerDNS Recursor versions 4.1.0 through 4.1.8. Upgrade to 4.1.9 to resolve the issue.
Upgrade PowerDNS Recursor to version 4.1.9 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting queries from untrusted servers.
There is no current evidence of active exploitation campaigns targeting CVE-2019-3807, although a public PoC exists.
Refer to the PowerDNS security advisory for details: https://www.powerdns.com/security/advisory/pdns-2019-001/