Upstream information

CVE-2020-10995 at MITRE

Description

PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5
Vector AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Vector Network
Access Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1171553 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 12 SP1
  • pdns-recursor >= 4.1.16-19.1
Patchnames:
openSUSE-2020-698
SUSE Package Hub 15 SP1
  • pdns-recursor >= 4.1.12-bp151.4.3.1
Patchnames:
openSUSE-2020-698
openSUSE Leap 15.1
  • pdns-recursor >= 4.1.12-lp151.3.3.1
Patchnames:
openSUSE-2020-698
openSUSE Tumbleweed
  • pdns-recursor >= 4.5.5-1.3
Patchnames:
openSUSE Tumbleweed GA pdns-recursor-4.5.5-1.3