Vulnerability Description
An issue has been found in PowerDNS Authoritative Server versions up to and including 3.4.10, 4.0.1 allowing an authorized user to crash the server by inserting a specially crafted record in a zone under their control then sending a DNS query for that record. The issue is due to an integer overflow when checking if the content of the record matches the expected size, allowing an attacker to cause a read past the buffer boundary.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Powerdns | Authoritative | <= 3.4.10 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2120Issue TrackingThird Party Advisory
- https://www.debian.org/security/2017/dsa-3764Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2120Issue TrackingThird Party Advisory
- https://www.debian.org/security/2017/dsa-3764Third Party Advisory
FAQ
What is CVE-2016-2120?
CVE-2016-2120 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue has been found in PowerDNS Authoritative Server versions up to and including 3.4.10, 4.0.1 allowing an authorized user to crash the server by inserting a specially crafted record in a zone un...
How severe is CVE-2016-2120?
CVE-2016-2120 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-2120?
Check the references section above for vendor advisories and patch information. Affected products include: Powerdns Authoritative, Debian Debian Linux.