SB2019121320 - Use of cryptographically weak pseudo-random number generator in Miek Gieben DNS library

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2019-19794)

The vulnerability allows a remote attacker to poison DNS cache.

The vulnerability exists due to usage of predictable random numbers for TXID. A remote attacker can forge DNS responses.

Remediation

Install update from vendor's website.

References

• https://github.com/coredns/coredns/issues/3519
• https://github.com/coredns/coredns/issues/3547
• https://github.com/miekg/dns/compare/v1.1.24...v1.1.25
• https://github.com/miekg/dns/issues/1043
• https://github.com/miekg/dns/pull/1044