CVE-2020-10995
First published: Tue May 19 2020(Updated: )
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/pdns-recursor | 4.1.11-1+deb10u1 4.4.2-3 4.8.4-1 4.9.1-3 4.9.1-4 | |
| PowerDNS | >=4.1.0<=4.3.0 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Debian Debian Linux | =10.0 | |
| openSUSE Backports | =15.0-sp1 | |
| openSUSE | =15.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00052.html
- http://www.nxnsattack.com
- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMP72NJGKBWR5WEBXAWX5KSLQUDFTG6S/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PS4ZN5XGENYNFKX7QIIOUCQQHXE37GJF/
- https://www.debian.org/security/2020/dsa-4691
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
- https://www.openwall.com/lists/oss-security/2020/05/19/3
- https://security-tracker.debian.org/tracker/CVE-2020-10995
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PS4ZN5XGENYNFKX7QIIOUCQQHXE37GJF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMP72NJGKBWR5WEBXAWX5KSLQUDFTG6S/
Frequently Asked Questions
What is CVE-2020-10995?
CVE-2020-10995 is a vulnerability in PowerDNS Recursor from version 4.1.0 up to and including 4.3.0 that does not sufficiently defend against amplification attacks.
How does CVE-2020-10995 impact PowerDNS Recursor?
CVE-2020-10995 allows malicious parties to use recursive DNS services to attack third party authoritative name servers.
What is the severity level of CVE-2020-10995?
CVE-2020-10995 has a severity level of 7.5, which is considered high.
How can I fix CVE-2020-10995?
To fix CVE-2020-10995, update PowerDNS Recursor to version 4.4.2-3 or higher.
Where can I find more information about CVE-2020-10995?
You can find more information about CVE-2020-10995 in the official PowerDNS Recursor security advisory.
- collector/security-tracker-debian
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/powerdns
- canonical/powerdns
- version/powerdns/4.1.0
- version/powerdns/4.3.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/opensuse
- canonical/opensuse backports
- version/opensuse backports/15.0-sp1
- canonical/opensuse
- version/opensuse/15.1