Toshifumi Sakaguchi

**Name of the Vulnerable Software and Affected Versions** PowerDNS Recursor versions prior to 4.9.9 PowerDNS Recursor versions prior to 5.0.9 PowerDNS Recursor versions prior to 5.1.2 **Description** An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service. The issue is related to insufficient input validation in the PowerDNS Recursor. **Recommendations** For PowerDNS Recursor versions prior to 4.9.9, update to version 4.9.9 or later. For PowerDNS Recursor versions prior to 5.0.9, update to version 5.0.9 or later. For PowerDNS Recursor versions prior to 5.1.2, update to version 5.1.2 or later.

Name of the Vulnerable Software and Affected Versions: NLnet Labs Unbound versions 1.21.0 and earlier Description: The issue arises when handling replies with very large RRsets that require name compression. Malicious upstream responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies, leading to degraded performance and potentially denial of service in well-orchestrated attacks. A malicious actor can exploit this by querying Unbound for specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query, it attempts to apply name compression, which was previously an unbounded operation that could lock the CPU until the whole packet was complete. Recommendations: For NLnet Labs Unbound versions 1.21.0 and earlier, update to version 1.21.1 or later, which introduces a hard limit on the number of name compression calculations it is willing to do per packet, preventing the CPU from being locked for long periods.

**Name of the Vulnerable Software and Affected Versions** PowerDNS Recursor versions 4.0.0 through 4.1.4 **Description** A remote attacker can send a DNS query for a meta-type like OPT, leading to a zone being wrongly cached as failing DNSSEC validation. This issue arises when the parent zone is signed and all authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail. **Recommendations** For PowerDNS Recursor versions 4.0.0 through 4.1.4, update to a version later than 4.1.4 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: PowerDNS Recursor versions prior to 4.0.8 Description: The issue is related to the parsing of authoritative answers, which can lead to a denial of service when an unauthenticated remote attacker sends a specially crafted answer containing a CNAME of a different class than IN. This results in a NULL pointer dereference. Recommendations: For versions prior to 4.0.8, update to version 4.0.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PWR-Q200 (affected versions not specified) **Description** The issue allows remote attackers to conduct DNS cache poisoning attacks because the device does not use random values for source ports of DNS query packets. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NSD versions prior to 4.1.11 **Description** The issue allows remote DNS master servers to cause a denial of service, resulting in /tmp disk consumption and slave server crash, via a zone transfer with unlimited data. **Recommendations** For versions prior to 4.1.11, update to version 4.1.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PowerDNS Recursor versions prior to 3.6.4 PowerDNS Recursor versions 3.7.x prior to 3.7.3 PowerDNS Authoritative Server versions prior to 3.3.3 PowerDNS Authoritative Server versions 3.4.x prior to 3.4.5 **Description** The issue allows remote attackers to cause a denial of service, resulting in CPU consumption or a crash, via a request with a long name that refers to itself. This problem exists due to an incomplete fix for a previous issue. **Recommendations** For PowerDNS Recursor versions prior to 3.6.4, update to version 3.6.4 or later. For PowerDNS Recursor versions 3.7.x prior to 3.7.3, update to version 3.7.3 or later. For PowerDNS Authoritative Server versions prior to 3.3.3, update to version 3.3.3 or later. For PowerDNS Authoritative Server versions 3.4.x prior to 3.4.5, update to version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** PowerDNS Recursor versions 3.5.x through 3.6.2 and versions 3.7.x prior to 3.7.2 PowerDNS Authoritative Server versions 3.2.x through 3.3.1 and versions 3.4.x prior to 3.4.4 **Description** The issue allows remote attackers to cause a denial of service, resulting in CPU consumption or a crash, via a request with a name that refers to itself. This is related to the label decompression functionality. **Recommendations** For PowerDNS Recursor versions 3.5.x through 3.6.2, update to version 3.6.3 or later. For PowerDNS Recursor versions 3.7.x prior to 3.7.2, update to version 3.7.2 or later. For PowerDNS Authoritative Server versions 3.2.x through 3.3.1, update to version 3.3.2 or later. For PowerDNS Authoritative Server versions 3.4.x prior to 3.4.4, update to version 3.4.4 or later.