Petr Špaček

## Vulnerability Report **Name of the Vulnerable Software and Affected Versions** * BIND versions 9.16.48-1 through 9.18.24-1 * Unbound versions 1.19.1-alt1 * PDNS Recursor versions 4.8.6-1 * Knot Resolver versions 5.6.0-1+deb12u1 * systemd (affected versions not specified) * dnsmasq (affected versions not specified) * COBALT (affected versions not specified) **Description** Multiple vulnerabilities have been discovered in various DNS server implementations, including BIND, Unbound, PDNS Recursor, and Knot Resolver. A denial-of-service (DoS) vulnerability exists in BIND due to a flaw in query-handling code and a CPU exhaustion issue related to malformed DNSSEC records. A similar CPU exhaustion vulnerability affects DNSSEC-validating resolvers when processing specially crafted DNSSEC responses. Additionally, vulnerabilities have been identified in systemd, dnsmasq, and COBALT, though specific details are limited. A publicly disclosed vulnerability (CVE-2023-50868) exists in Microsoft DNS servers, impacting DNSSEC validation. **Recommendations** * Upgrade BIND to version 9.16.48-1 or 9.18.24-1. * Upgrade Unbound to version 1.19.1-alt1. * Upgrade PDNS Recursor to version 4.8.6-1. * Upgrade Knot Resolver to version 5.6.0-1+deb12u1. * Upgrade systemd to the latest available version. * Upgrade dnsmasq to the latest available version. * Upgrade COBALT to the latest available version. * For systems using DNSSEC validation, consider upgrading to a version that addresses the NSEC3 processing issue.

**Name of the Vulnerable Software and Affected Versions** Knot Resolver versions prior to 5.1.1 **Description** The issue allows traffic amplification via a crafted DNS answer from an attacker-controlled server, also known as an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records. **Recommendations** For versions prior to 5.1.1, update to version 5.1.1 or later to resolve the issue. As a temporary workaround, consider restricting DNS answers from unknown or untrusted servers to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: knot resolver versions prior to 4.1.0 Description: A vulnerability was discovered in the DNS resolver component that allows remote attackers to bypass DNSSEC validation for non-existence answers. Specifically, NXDOMAIN answers would get passed through to the client even if their DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this bug. Recommendations: For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the DNS resolver component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** knot resolver versions prior to 4.1.0 **Description** A vulnerability was discovered in the DNS resolver of knot resolver, which allows remote attackers to downgrade DNSSEC-secure domains to a DNSSEC-insecure state. This opens the possibility of domain hijack using attacks against the insecure DNS protocol. The issue is due to insufficient input validation, enabling a remote attacker to convert a DNSSEC-secure domain to an insecure state. **Recommendations** For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the DNS resolver to minimize the risk of exploitation.