CVE-2020-10995
moderate-risk
Published 2020-05-19
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue.
Do I need to act?
-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (6)
Affected Vendors
References (12)
Technical Description
http://www.nxnsattack.com
Third Party Advisory
https://www.debian.org/security/2020/dsa-4691
Technical Description
http://www.nxnsattack.com
Third Party Advisory
https://www.debian.org/security/2020/dsa-4691
39
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
0/34 · Minimal
Exposure
13/34 · Low