CVE-2019-10190 - OpenCVE

A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Nic	Knot Resolver
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:nic:knot_resolver::::::::
	cpe:2.3:a:nic:knot_resolver::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:29:::::::*
	cpe:2.3:o:fedoraproject:fedora:30:::::::*

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10190	Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMSSWBHINIX4WE6UDXWM66L7JYEK6XS6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZV5YZZ5766UIG2TFLFJL6EESQNAP5X5/
https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2019-07-16T17:50:05

Updated: 2019-07-19T04:06:02

Reserved: 2019-03-27T00:00:00

Link: CVE-2019-10190

JSON object: View

NVD Information

Status : Modified

Published: 2019-07-16T18:15:12.087

Modified: 2024-04-26T07:15:46.890

Link: CVE-2019-10190

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "knot-resolver", "vendor": "CZ.NIC", "versions": [{"status": "affected", "version": "from 3.2.0 before 4.1.0"}]}], "datePublic": "2019-07-10T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-19T04:06:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10190"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html"}, {"name": "FEDORA-2019-fdb50c675d", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZV5YZZ5766UIG2TFLFJL6EESQNAP5X5/"}, {"name": "FEDORA-2019-20f95b0b39", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMSSWBHINIX4WE6UDXWM66L7JYEK6XS6/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10190", "datePublished": "2019-07-16T17:50:05", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2019-07-19T04:06:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B78C5ED-E97D-43E8-9393-AFDF4C259C27", "versionEndIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EE2DAAA-1470-4AC9-B1B5-FF7297F2C2EE", "versionEndExcluding": "4.1.0", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en el componente de resoluci\u00f3n de DNS de knot resolver hasta la versi\u00f3n 3.2.0 anterior a 4.1.0, que permite a los atacantes remotos omitir la comprobaci\u00f3n DNSSEC para una respuesta de no existencia. La respuesta NXDOMAIN se pasar\u00eda hacia el cliente incluso si fallara la comprobaci\u00f3n DNSSEC, en lugar de enviar un paquete SERVFAIL. El almacenamiento en cach\u00e9 no est\u00e1 afectado por este bug en particular, pero consulte el CVE-2019-10191."}], "id": "CVE-2019-10190", "lastModified": "2024-04-26T07:15:46.890", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-16T18:15:12.087", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10190"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMSSWBHINIX4WE6UDXWM66L7JYEK6XS6/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZV5YZZ5766UIG2TFLFJL6EESQNAP5X5/"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Secondary"}]}