cbcvebase.
CVE-2020-10030
published 2020-05-19

CVE-2020-10030: An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. It allows an attacker (with enough privileges to change the system's hostname) to…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
23.89%
97.5th percentile
An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. It allows an attacker (with enough privileges to change the system's hostname) to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does not have '\0' termination of the returned string if the hostname is larger than the supplied buffer. (Linux systems are not affected because the buffer is always large enough. OpenBSD systems are not affected because the returned hostname always has '\0' termination.) Under some conditions, this issue can lead to the writing of one '\0' byte out-of-bounds on the stack, causing a denial of service or possibly arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianpdns-recursor< pdns-recursor 4.3.1-1 (bookworm)pdns-recursor 4.3.1-1 (bookworm)
powerdnsrecursor4.1.0 – 4.3.0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered only on systems where gethostname() does not null-terminate the returned string when the hostname exceeds the buffer size — focus detection on non-Linux, non-OpenBSD platforms running PowerDNS Recursor 4.1.0–4.3.0
  • The attack requires local privilege to modify the system hostname; monitor for unexpected hostname changes on systems running PowerDNS Recursor as a precursor indicator
  • Under certain conditions a single null byte is written out-of-bounds on the stack; this can manifest as a crash (DoS) or code execution — monitor pdns_recursor process for unexpected crashes or anomalous behaviour on affected versions
  • ·Affected versions are PowerDNS Recursor 4.1.0 through 4.3.0 inclusive; versions prior to 4.1.0 and 4.3.1+ are not affected by this CVE
  • ·Linux deployments are NOT affected regardless of version, as the hostname buffer is always large enough; OpenBSD deployments are also NOT affected due to guaranteed null-termination
  • ·Debian fixed this in pdns-recursor package version 4.3.1-1 across bookworm, bullseye, forky, sid, and trixie
  • ·The advisory scope is classified as local — remote exploitation is not directly applicable; attacker must have local privileges to change the hostname

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.