CVE-2020-25829
HIGHPowerDNS Recursor < 4.1.18, 4.2.x < 4.2.5, 4.3.x < 4.3.5 - Denial of Service via DNS ANY Query
Title source: llmDescription
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of service for installation that always validate (dnssec=validate), and for clients requesting validation when on-demand validation is enabled (dnssec=process).
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00036.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202012-19
Scores
CVSS v3
7.5
EPSS
0.0035
EPSS Percentile
57.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (4)
opensuse/backports_sle
15.0 sp1 (2 CPE variants)
opensuse/leap
15.1
opensuse/leap
15.2
powerdns/recursor
< 4.1.18
Published
Oct 16, 2020
Tracked Since
Feb 18, 2026