Nic: Security Vulnerabilities
knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).
CVSS Score
7.5
EPSS Score
0.003
Published
2019-12-16
Cache Poisoning issue exists in DNS Response Rate Limiting.
CVSS Score
5.9
EPSS Score
0.011
Published
2019-11-05
BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon's support for RFC 8203 administrative shutdown communication messages included an incorrect logical expression when checking the validity of an input message. Sending a shutdown communication with a sufficient message length causes a four-byte overflow to occur while processing the message, where two of the overflow bytes are attacker-controlled and two are fixed.
CVSS Score
7.5
EPSS Score
0.043
Published
2019-09-09
A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.
CVSS Score
5.4
EPSS Score
0.008
Published
2019-07-16
A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol.
CVSS Score
6.3
EPSS Score
0.005
Published
2019-07-16
Improper input validation bug in DNS resolver component of Knot Resolver before 2.4.1 allows remote attacker to poison cache.
CVSS Score
7.5
EPSS Score
0.079
Published
2018-08-02
Knot DNS before 1.5.2 allows remote attackers to cause a denial of service (application crash) via a crafted DNS message.
CVSS Score
7.5
EPSS Score
0.013
Published
2018-03-27
Improper input validation bugs in DNSSEC validators components in Knot Resolver (prior version 1.5.2) allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.
CVSS Score
3.7
EPSS Score
0.004
Published
2018-01-22
Page 2