cbcvebase.
CVE-2014-8601
published 2014-12-10

CVE-2014-8601: PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via…

PriorityP339medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
73.53%
99.4th percentile
PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpdns-recursor< pdns-recursor 3.6.2-1 (bookworm)pdns-recursor 3.6.2-1 (bookworm)
powerdnsrecursor<= 3.6.1

Detection & IOCsextracted from sources · hover to see the quote

  • Domains hosted by ezdns.it were used to demonstrate the unlimited delegation chaining attack against PowerDNS Recursor, triggering excessive referral loops and performance degradation (DoS).
  • The attack vector is a remotely-supplied specially crafted domain name that causes PowerDNS Recursor to follow an unbounded delegation chain; monitor for recursive resolvers exhibiting abnormally high referral-follow counts or CPU spikes tied to a single query domain.
  • Upstream patches for this specific issue are available at the PowerDNS patch repository path for advisory 2014-02; presence of unpatched pdns-recursor < 3.6.2 in an environment is a direct exposure indicator.
  • ·Vulnerability only affects PowerDNS Recursor versions before 3.6.2; fixed in 3.6.2-1 across Debian (bookworm, bullseye, forky, sid, trixie) and Fedora/EPEL packages.
  • ·The root cause is the absence of a delegation chain depth limit in the recursor; ensure the patched version enforces such a limit in its configuration.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_redhat7.5HIGH
vendor_debian5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.