Allele Security Alert
ASA-2019-00017
Identifier(s)
ASA-2019-00017, CVE-2019-3807
Title
Insufficient validation of DNSSEC signatures
Vendor(s)
PowerDNS
Product(s)
PowerDNS Recursor
Affected version(s)
PowerDNS Recursor from 4.1.0 up to and including 4.1.8
Fixed version(s)
PowerDNS Recursor 4.1.9
Proof of concept
Unknown
Description
An issue has been found in PowerDNS Recursor where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
Technical details
Unknown
Credits
Ralph Dolmans and George Thessalonikefs (NLNetLabs)
Reference(s)
PowerDNS Recursor 4.1.9 Released
https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/
PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html
PowerDNS Security Advisories 2011-01 and 2019-02
https://seclists.org/oss-sec/2019/q1/77
CVE-2019-3807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3807
CVE-2019-3807
https://nvd.nist.gov/vuln/detail/CVE-2019-3807
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019