CVE-2019-10190 : What You Need to Know
Learn about CVE-2019-10190 affecting Knot Resolver before 4.1.0, allowing attackers to bypass DNSSEC validation, compromising DNS data integrity and confidentiality.
Knot Resolver before 4.1.0 allows attackers to bypass DNSSEC validation, impacting confidentiality and integrity.
Understanding CVE-2019-10190
An issue in the DNS resolver module of Knot Resolver enables attackers to circumvent DNSSEC validation for non-existent answers.
What is CVE-2019-10190?
The vulnerability in Knot Resolver up to version 3.2.0 before 4.1.0 allows the transmission of incorrect NXDOMAIN answers despite DNSSEC validation failure.
The Impact of CVE-2019-10190
- Attackers can bypass DNSSEC validation, compromising the authenticity of DNS responses.
- Confidentiality and integrity of DNS data can be at risk due to the incorrect transmission of NXDOMAIN answers.
Technical Details of CVE-2019-10190
Knot Resolver vulnerability details and affected systems.
Vulnerability Description
The bug in Knot Resolver allows the transmission of incorrect NXDOMAIN answers, impacting DNSSEC validation.
Affected Systems and Versions
- Product: Knot Resolver
- Vendor: CZ.NIC
- Versions Affected: from 3.2.0 before 4.1.0
Exploitation Mechanism
- Attack Complexity: Low
- Attack Vector: Network
- Privileges Required: Low
- User Interaction: None
Mitigation and Prevention
Steps to mitigate and prevent the CVE-2019-10190 vulnerability.
Immediate Steps to Take
- Update Knot Resolver to version 4.1.0 or later to address the vulnerability.
- Monitor DNS traffic for any suspicious activity.
Long-Term Security Practices
- Regularly update and patch DNS resolver software.
- Implement DNSSEC to enhance DNS security.
- Conduct regular security audits and assessments.
Patching and Updates
- Apply patches provided by CZ.NIC to fix the vulnerability in Knot Resolver.