CVE-2019-19794 - OpenCVE

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Miekg-dns Project	Miekg-dns

Configuration 1 [-]

cpe:2.3:a:miekg-dns_project:miekg-dns:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/coredns/coredns/issues/3519	Issue Tracking Third Party Advisory
https://github.com/coredns/coredns/issues/3547	Third Party Advisory
https://github.com/miekg/dns/compare/v1.1.24...v1.1.25	Release Notes Third Party Advisory
https://github.com/miekg/dns/issues/1043	Exploit Issue Tracking Third Party Advisory
https://github.com/miekg/dns/pull/1044	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-12-13T21:46:59

Updated: 2019-12-18T04:01:37

Reserved: 2019-12-13T00:00:00

Link: CVE-2019-19794

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-12-13T22:15:11.357

Modified: 2020-01-02T17:36:47.200

Link: CVE-2019-19794

JSON object: View

Redhat Information

No data.

CWE

CWE-338

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-18T04:01:37", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/miekg/dns/issues/1043"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/coredns/coredns/issues/3519"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/miekg/dns/pull/1044"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coredns/coredns/issues/3547"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19794", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/miekg/dns/issues/1043", "refsource": "MISC", "url": "https://github.com/miekg/dns/issues/1043"}, {"name": "https://github.com/coredns/coredns/issues/3519", "refsource": "MISC", "url": "https://github.com/coredns/coredns/issues/3519"}, {"name": "https://github.com/miekg/dns/pull/1044", "refsource": "MISC", "url": "https://github.com/miekg/dns/pull/1044"}, {"name": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25", "refsource": "MISC", "url": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25"}, {"name": "https://github.com/coredns/coredns/issues/3547", "refsource": "CONFIRM", "url": "https://github.com/coredns/coredns/issues/3547"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19794", "datePublished": "2019-12-13T21:46:59", "dateReserved": "2019-12-13T00:00:00", "dateUpdated": "2019-12-18T04:01:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miekg-dns_project:miekg-dns:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F0F7709-230B-4274-AF38-B3704AD451AB", "versionEndExcluding": "1.1.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries."}, {"lang": "es", "value": "El paquete DNS de miekg Go versiones anteriores a la versi\u00f3n 1.1.25, como es usado en CoreDNS versiones anteriores a la versi\u00f3n 1.6.6 y otros productos, genera n\u00fameros aleatorios inapropiadamente porque math/rand es usado. El TXID se vuelve predecible, conllevando a falsificaciones de respuesta."}], "id": "CVE-2019-19794", "lastModified": "2020-01-02T17:36:47.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-13T22:15:11.357", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/coredns/coredns/issues/3519"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/coredns/coredns/issues/3547"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/miekg/dns/compare/v1.1.24...v1.1.25"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/miekg/dns/issues/1043"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/miekg/dns/pull/1044"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "nvd@nist.gov", "type": "Primary"}]}