CVE-2017-15090
Last modified
CVE-2017-15090 is a vulnerability of currently unknown severity. An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records.. EPSS estimates a 0.62% chance of exploitation in the next 30 days.
Description
An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Powerdns | Recursor | >= 4.0.0, <= 4.0.6 |
References
- http://www.securityfocus.com/bid/101982Third Party Advisory, VDB Entry
- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.htmlPatch, Vendor Advisory
- http://www.securityfocus.com/bid/101982Third Party Advisory, VDB Entry
- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.htmlPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-15090?
How severe is CVE-2017-15090?
How do I fix CVE-2017-15090?
Are you affected by CVE-2017-15090?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST