CVE-2019-19331 – Knot Resolver DNS software before version 4.3.0... (How to Fix)

Q: What is the severity of CVE-2019-19331?

CVE-2019-19331 has a CVSS score of 7.5 (HIGH). Knot Resolver DNS software before version 4.3.0 is vulnerable to denial of service through CPU exhaustion. Attackers can send DNS replies containing thousands of resource records, causing inefficient processing that consumes several CPU seconds per uncached message. This affects all systems running vulnerable versions of Knot Resolver as a DNS resolver.

📋 TL;DR

Knot Resolver DNS software before version 4.3.0 is vulnerable to denial of service through CPU exhaustion. Attackers can send DNS replies containing thousands of resource records, causing inefficient processing that consumes several CPU seconds per uncached message. This affects all systems running vulnerable versions of Knot Resolver as a DNS resolver.

💻 Affected Systems

Products:

Knot Resolver

Versions: All versions before 4.3.0

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Knot Resolver as a DNS resolver. The vulnerability is triggered when processing DNS replies with many resource records (up to 64kB limit).

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Knot Resolver by Nic

View all CVEs affecting Knot Resolver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage where DNS resolution becomes unavailable due to CPU exhaustion, potentially affecting all dependent services.

🟠

Likely Case

Degraded DNS resolution performance causing timeouts and service disruptions for applications relying on DNS lookups.

🟢

If Mitigated

Minimal impact with proper rate limiting, caching, and network segmentation in place.

🌐 Internet-Facing: HIGH - DNS resolvers are typically internet-facing and can be targeted by external attackers sending malicious DNS replies.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access to send DNS replies to the resolver.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted DNS replies to the resolver, which is straightforward for attackers with network access to the target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.0 and later

Vendor Advisory: https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Knot Resolver service. 3. Update to version 4.3.0 or later using package manager. 4. Restart Knot Resolver service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Rate limiting DNS queries

linux

Implement rate limiting on DNS queries to reduce impact of malicious traffic

# Using iptables to limit DNS queries
sudo iptables -A INPUT -p udp --dport 53 -m limit --limit 50/second -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -m limit --limit 50/second -j ACCEPT

DNS response size limiting

linux

Configure firewall to block DNS responses larger than typical size

# Block UDP DNS responses larger than 4KB
sudo iptables -A INPUT -p udp --dport 53 -m length --length 4096:65535 -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate DNS resolver from untrusted networks
Deploy intrusion detection/prevention systems to monitor for anomalous DNS traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check Knot Resolver version: 'kresd --version' or 'knot-resolver --version'. If version is below 4.3.0, system is vulnerable.

Check Version:

kresd --version || knot-resolver --version

Verify Fix Applied:

After update, run 'kresd --version' or 'knot-resolver --version' and confirm version is 4.3.0 or higher.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes in system logs
Increased DNS query processing times
DNS timeout errors in application logs

Network Indicators:

Unusually large DNS responses (approaching 64kB)
High volume of DNS traffic to resolver
DNS responses with thousands of resource records

SIEM Query:

source="knot-resolver.log" AND ("high cpu" OR "slow processing" OR "timeout")

📊 Metadata

CVE ID: CVE-2019-19331

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-407

Published: December 16, 2019

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19331 Exploit,Issue Tracking,Patch
https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html
https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html Release Notes,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19331 Exploit,Issue Tracking,Patch
https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html
https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19331, you might also want to check these: