Impact
A malicious authoritative DNS server can send a specially crafted zone to the PowerDNS Recursor using the ZoneToCache function. The Recursor lacks proper input validation for zone data, causing the program to crash. The crash results in a denial of service for services relying on the Recursor, as the process terminates and must be restarted to resume normal operation. This weakness is a classic example of insufficient input validation leading to a loss of availability.
Affected Systems
The vulnerability affects the PowerDNS Recursor software. No specific affected releases are listed, so any deployed instance that has not applied the later correction is potentially vulnerable. Administrators should verify the Recursor – or any derivative product – against the vendor advisory for a fix that addresses the input validation issue.
Risk and Exploitability
The CVSS score of 5.9 indicates medium severity, while the EPSS score is not available, making it difficult to gauge current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation at the time of analysis. The attack vector is inferred to be Externally Network – a rogue authoritative server on the network can trigger the flaw. An attacker would need only to serve a crafted zone to a Recursor instance that accepts the ZoneToCache request. The result would be a disruption of DNS resolution services, potentially affecting multiple end users.
OpenCVE Enrichment
Debian DSA