CVE-2019-10162 in Authoritative Server
Summary
by MITRE
A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/14/2023
The vulnerability identified as CVE-2019-10162 affects the PowerDNS Authoritative Server, a widely deployed DNS server software that serves as the authoritative source for DNS zone data. This critical flaw exists in versions prior to 4.1.10 and 4.0.8, representing a significant security concern for organizations relying on PowerDNS for their DNS infrastructure. The vulnerability specifically targets MASTER type zones, which are authoritative zones where the server maintains the primary copy of DNS records and is responsible for serving them to other DNS servers. The issue stems from inadequate error handling mechanisms within the server's record parsing logic, creating a potential denial of service condition that could be exploited by malicious actors.
The technical root cause of this vulnerability lies in how the PowerDNS Authoritative Server processes DNS records when preparing to send notifications to slave servers. When the server encounters a parsing error while examining NS, A, or AAAA records within a MASTER zone, it fails to handle this error gracefully and instead terminates the entire server process. This behavior violates standard error handling principles and represents a classic case of improper exception management. The vulnerability is particularly dangerous because it requires only an authorized user with permissions to modify DNS records within a MASTER zone to trigger the condition, making it exploitable through insider threats or compromised accounts with sufficient privileges. The parsing error occurs during the notification process, which is a routine operation that should not cause system-wide failures.
The operational impact of CVE-2019-10162 extends beyond simple service disruption, as it can lead to complete DNS service outages for affected domains. When the server exits due to this parsing error, all DNS queries for zones managed by that server become unavailable until the service is manually restarted, potentially affecting thousands of domains and applications that depend on the affected DNS infrastructure. This vulnerability directly maps to CWE-704, which covers incorrect type conversion or cast, and also relates to CWE-248, improper exception handling, as the server fails to properly manage parsing errors that should be recoverable. From an attack perspective, this represents a significant vector for denial of service attacks, particularly in environments where multiple administrators have access to modify DNS records, as any user with appropriate permissions could trigger the condition.
Organizations should immediately implement mitigations by upgrading to PowerDNS Authoritative Server versions 4.1.10 or 4.0.8, which contain the necessary patches to address this vulnerability. Additionally, administrators should review and tighten access controls for MASTER zones, limiting the number of users who can modify DNS records to reduce the attack surface. Network monitoring should be enhanced to detect unusual server termination patterns that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1499.004, "Cloud Compute Infrastructure Destruction," as it can lead to service disruption that impacts cloud-based DNS infrastructure. Security teams should also consider implementing automated restart mechanisms and health monitoring for DNS services to minimize the impact of such outages. The vulnerability demonstrates the importance of robust error handling in critical infrastructure software and highlights the need for thorough testing of edge cases in DNS record processing operations.