SB2020101712 - OpenSUSE Linux update for pdns-recursor 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020101712

SB2020101712 - OpenSUSE Linux update for pdns-recursor

Published: October 17, 2020

Security Bulletin ID SB2020101712
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2020-14196)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to  ACL applied to the internal web server via "webserver-allow-from" is not properly enforced. A remote attacker can send HTTP queries to the internal web server, bypassing the restriction.

Successful exploitation of the vulnerability requires that the the API webserver is enabled (not the default value).


2) Input validation error (CVE-ID: CVE-2020-25829)

The vulnerability allows a remote attacker to perform cache poisoning attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process).


Remediation

Install update from vendor's website.

References