Medium severity5.9NVD Advisory· Published Jul 8, 2017· Updated May 13, 2026

CVE-2017-11104

Description

Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check.

Affected products

Knot Dns/Knot DNS3 versions
cpe:2.3:a:knot-dns:knot_dns:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:knot-dns:knot_dns:*:*:*:*:*:*:*:*range: <=2.4.4
- cpe:2.3:a:knot-dns:knot_dns:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:knot-dns:knot_dns:2.5.1:*:*:*:*:*:*:*
Debian/Debian Linux3 versions
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.htmlnvdBroken LinkMailing ListPatchThird Party Advisory
www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdfnvdExploitMitigationPatchThird Party Advisory
www.debian.org/security/2017/dsa-3910nvdThird Party Advisory
bugs.debian.org/865678nvdIssue TrackingThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2020-07/msg00076.htmlnvdBroken Link
lists.opensuse.org/opensuse-security-announce/2020-07/msg00078.htmlnvdBroken Link
lists.opensuse.org/opensuse-security-announce/2020-07/msg00089.htmlnvdBroken Link
lists.opensuse.org/opensuse-security-announce/2020-09/msg00049.htmlnvdBroken Link
www.securityfocus.com/bid/99598nvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000