Candidate: CVE-2020-10995
CRD: 2020-05-19 12:00:00 UTC
PublicDate: 2020-05-19 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10995
 https://www.openwall.com/lists/oss-security/2020/05/19/3
Description:
 PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not
 sufficiently defend against amplification attacks. An issue in the DNS
 protocol has been found that allow malicious parties to use recursive DNS
 services to attack third party authoritative name servers. The attack uses
 a crafted reply by an authoritative name server to amplify the resulting
 traffic between the recursive and other authoritative name servers. Both
 types of service can suffer degraded performance as an effect. This is
 triggered by random subdomains in the NSDNAME in NS records. PowerDNS
 Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact
 of this DNS protocol issue.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_pdns-recursor:
upstream_pdns-recursor: needs-triage
precise/esm_pdns-recursor: DNE
trusty_pdns-recursor: ignored (out of standard support)
trusty/esm_pdns-recursor: DNE
xenial_pdns-recursor: ignored (end of standard support, was needs-triage)
bionic_pdns-recursor: needs-triage
eoan_pdns-recursor: ignored (reached end-of-life)
focal_pdns-recursor: needs-triage
groovy_pdns-recursor: not-affected (4.3.1-1)
hirsute_pdns-recursor: not-affected (4.3.1-1)
impish_pdns-recursor: not-affected (4.3.1-1)
jammy_pdns-recursor: not-affected (4.3.1-1)
devel_pdns-recursor: not-affected (4.3.1-1)