CVE-2019-10163 in Authoritative Server
Summary
by MITRE
A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/14/2023
The vulnerability identified as CVE-2019-10163 affects PowerDNS Authoritative Server versions prior to 4.1.9 and 4.0.8, representing a significant security flaw that impacts DNS infrastructure reliability. This vulnerability specifically targets servers configured as DNS slaves, where an authorized master server can exploit a design weakness to generate excessive NOTIFY messages that overwhelm the slave server's processing capabilities. The issue stems from insufficient rate limiting and validation mechanisms within the NOTIFY message handling process, creating a potential denial of service condition that can severely impact DNS resolution services.
The technical flaw manifests in the improper handling of NOTIFY messages sent from master servers to slave servers in the PowerDNS authoritative configuration. When a master server sends multiple NOTIFY messages in rapid succession, the slave server processes each message sequentially without adequate rate limiting or message filtering mechanisms. This allows an attacker with access to a master server to flood the slave with notifications, causing excessive CPU utilization as the server attempts to process each message and validate the zone updates. The vulnerability is classified as a resource exhaustion attack that specifically targets the DNS notification mechanism, which is designed to inform slave servers of zone changes from their master servers.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially complete service disruption for affected DNS zones. Slave servers experiencing high CPU load from excessive NOTIFY messages may become unresponsive to legitimate zone update requests, effectively preventing any further DNS updates from being processed. This creates a cascading effect where DNS resolution services become unreliable or completely unavailable for domains managed through the affected slave servers. The vulnerability is particularly concerning because it requires only authorized access to a master server to exploit, meaning internal threats or compromised master servers can trigger this denial of service condition without requiring external network access or elevated privileges.
Organizations affected by this vulnerability should implement immediate mitigations including updating to PowerDNS versions 4.1.9 or 4.0.8 where the fix has been implemented. The fix addresses the issue by introducing proper rate limiting mechanisms and message validation for NOTIFY requests, preventing excessive processing of duplicate or malformed notifications. Additional defensive measures include configuring network-level rate limiting on DNS notification ports, implementing monitoring for unusual NOTIFY message patterns, and establishing baseline performance metrics to detect abnormal CPU utilization spikes. This vulnerability aligns with CWE-770, which addresses allocation of resources without limits or throws, and represents a classic example of a denial of service attack vector that exploits legitimate protocol features to cause system instability and service disruption.