cbcvebase.
CVE-2018-14644
published 2018-11-09

CVE-2018-14644: An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a…

PriorityP433medium5.9CVSS 3.0
AVNACHPRNUINSUCNINAH
EPSS
4.84%
90.9th percentile
An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianpdns-recursor< pdns-recursor 4.1.7-1 (bookworm)pdns-recursor 4.1.7-1 (bookworm)
open-xchangepdns>= 0 < 4.0.0~alpha2-3ubuntu0.1~esm14.0.0~alpha2-3ubuntu0.1~esm1
open-xchangepdns>= 0 < 4.1.1-1ubuntu0.1~esm14.1.1-1ubuntu0.1~esm1
open-xchangepdns>= 0 < 4.2.1-1ubuntu0.1~esm14.2.1-1ubuntu0.1~esm1
open-xchangepdns>= 0 < 4.5.3-1ubuntu0.1~esm14.5.3-1ubuntu0.1~esm1
powerdnsrecursor4.0.0 – 4.1.4

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.