#VU39670 Resource exhaustion in Knot DNS - CVE-2016-6171

Cybersecurity Help s.r.o.

Published: 2017-02-09 | Updated: 2020-08-08

Vulnerability identifier: #VU39670

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-6171

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Knot DNS
Server applications / DNS servers

Vendor: Nic

Description

The vulnerability allows a remote non-authenticated attacker to a crash the entire system.

Knot DNS before 2.3.0 allows remote DNS servers to cause a denial of service (memory exhaustion and slave server crash) via a large zone transfer for (1) DDNS, (2) AXFR, or (3) IXFR.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Knot DNS: 2.0.0 - 2.2.1

External links
https://www.openwall.com/lists/oss-security/2016/07/06/3
https://www.openwall.com/lists/oss-security/2016/07/06/4
https://www.securityfocus.com/bid/91678
https://github.com/sischkg/xfer-limit/blob/master/README.md
https://gitlab.labs.nic.cz/labs/knot/blob/c546a70563ef4c7badb7cb5bdf6d1ba8e7adae82/NEWS
https://gitlab.labs.nic.cz/labs/knot/issues/464
https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Resource exhaustion in Nic Knot DNS

Fedora 24 update for knot

Fedora 25 update for knot

Fedora 23 update for knot

Fedora EPEL 7 update for knot

Fedora EPEL 6 update for knot

Fedora 25 update for knot

Fedora 23 update for knot

Fedora 24 update for knot