cbcvebase.
CVE-2017-15120
published 2018-07-27

CVE-2017-15120: An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a…

PriorityP352high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
51.79%
98.8th percentile
An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a denial of service.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianpdns-recursor< pdns-recursor 4.1.0-1 (bookworm)pdns-recursor 4.1.0-1 (bookworm)
powerdnspdns-recursor
powerdnspdns-recursor>= 0 < 4.1.0-14.1.0-1
powerdnspdns-recursor>= 0 < 4.1.0-14.1.0-1
powerdnspdns-recursor>= 0 < 4.1.0-14.1.0-1
powerdnspdns-recursor>= 0 < 4.1.0-14.1.0-1
powerdnsrecursor< 4.0.84.0.8

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: a specially crafted DNS authoritative answer containing a CNAME record with a class other than IN (e.g., CH, HS) causes a NULL pointer dereference in PowerDNS Recursor before 4.0.8, resulting in a crash/DoS
  • The attack is unauthenticated and remotely exploitable — monitor for DNS CNAME responses with non-IN class values (e.g., class field != 0x0001) directed at PowerDNS Recursor instances
  • Crash/process termination of pdns-recursor (NULL pointer dereference) can serve as an indicator of exploitation; monitor for unexpected pdns_recursor process exits
  • ·Vulnerability affects PowerDNS Recursor versions before 4.0.8 only; versions 4.0.8+ and 4.1.0+ are not affected. Confirm installed version before applying detection logic.
  • ·Debian resolved this in package version 4.1.0-1 across all active releases (bookworm, bullseye, sid, trixie, forky); Fedora/EPEL resolved it in pdns-recursor-4.1.3-2.
  • ·Debian scopes this vulnerability as 'local' in its tracker, which may affect risk prioritization in some environments, though the upstream description states it is remotely exploitable.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.