Vulnerability Name:

CVE-2019-10162 (CCN-162839)

Assigned:2019-06-21
Published:2019-06-21
Updated:2020-10-02
Summary:A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-10162

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2019:1904

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2019:1921

Source: CONFIRM
Type: Release Notes, Vendor Advisory
https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10162

Source: CCN
Type: PowerDNS Security Advisory 2019-04
Denial of service via crafted zone records

Source: MISC
Type: Vendor Advisory
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html

Source: XF
Type: UNKNOWN
powerdns-cve201910162-dos(162839)

Source: CCN
Type: BugTraq Mailing List, Sun, 23 Jun 2019 21:02:15 +0000
[SECURITY] [DSA 4470-1] pdns security update

Vulnerable Configuration:Configuration 1:
  • cpe:/a:powerdns:authoritative:*:*:*:*:*:*:*:* (Version >= 4.0.0 and < 4.0.8)
  • OR cpe:/a:powerdns:authoritative:4.0.0:-:*:*:*:*:*:*
  • OR cpe:/a:powerdns:authoritative:*:*:*:*:*:*:*:* (Version >= 4.1.0 and < 4.1.10)

    • Configuration 2:
  • cpe:/o:opensuse:leap:15.0:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201910162
    V
    		CVE-2019-10162
    2022-06-30
    oval:org.opensuse.security:def:93447
    P
    		 (Important)
    2022-04-12
    oval:org.opensuse.security:def:113102
    P
    		pdns-4.5.1-1.5 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:74316
    P
    		Security update for webkit2gtk3 (Important)
    2021-10-12
    oval:org.opensuse.security:def:106537
    P
    		pdns-4.5.1-1.5 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:63201
    P
    		dhcp-relay-4.3.5-4.15 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:63427
    P
    		libSDL2-2_0-0-32bit-2.0.8-9.63 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62382
    P
    		cni-plugins-0.8.6-3.8.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62381
    P
    		buildah-1.17.0-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63063
    P
    		libopenssl-1_0_0-devel-1.0.2n-1.32 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:62861
    P
    		libtool-32bit-2.4.6-1.406 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:62405
    P
    		firewall-applet-0.5.3-2.3 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62582
    P
    		libsrtp-devel-1.6.0-2.19 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:25575
    P
    		Security update for libX11 (Important)
    2020-12-01
    oval:org.opensuse.security:def:26412
    P
    		Security update for tor (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64096
    P
    		Security update for gcc10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25076
    P
    		Security update for cpio (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64250
    P
    		file on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63888
    P
    		Security update for w3m (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25284
    P
    		Security update for xrdp (Important)
    2020-12-01
    oval:org.opensuse.security:def:25716
    P
    		Security update for librsvg (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25425
    P
    		Security update for bluez (Important)
    2020-12-01
    oval:org.opensuse.security:def:25774
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25628
    P
    		Security update for dpdk (Critical)
    2020-12-01
    oval:org.opensuse.security:def:25012
    P
    		Security update for mariadb, mariadb-connector-c (Important)
    2020-12-01
    oval:org.opensuse.security:def:26447
    P
    		Security update for pdns (Important)
    2020-12-01
    oval:org.opensuse.security:def:64138
    P
    		Security update for xorg-x11-server (Important)
    2020-12-01
    oval:org.opensuse.security:def:63754
    P
    		Security update for python3 (Important)
    2020-12-01
    oval:org.opensuse.security:def:25203
    P
    		Security update for mariadb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25001
    P
    		Security update for python (Important)
    2020-12-01
    oval:org.opensuse.security:def:74190
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:63994
    P
    		Security update for dnsmasq (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25341
    P
    		Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25730
    P
    		Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:100160
    P
    		Security update for pdns (Important)
    2019-08-15
    oval:org.opensuse.security:def:109940
    P
    		Security update for pdns (Important)
    2019-08-15
    oval:com.ubuntu.bionic:def:2019101620000000
    V
    		CVE-2019-10162 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-07-30
    oval:com.ubuntu.xenial:def:2019101620000000
    V
    		CVE-2019-10162 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-07-30
    oval:com.ubuntu.disco:def:2019101620000000
    V
    		CVE-2019-10162 on Ubuntu 19.04 (disco) - medium.
    2019-07-30
    oval:com.ubuntu.cosmic:def:2019101620000000
    V
    		CVE-2019-10162 on Ubuntu 18.10 (cosmic) - medium.
    2019-06-21
    BACK
    powerdns authoritative *
    powerdns authoritative 4.0.0 -
    powerdns authoritative *
    opensuse leap 15.0
    opensuse leap 15.1