ArchLinux: 202005-14: unbound: denial of service

    Date 01 Jun 2020
    117
    Posted By LinuxSecurity Advisories
    The package unbound before version 1.10.1-1 is vulnerable to denial of service.
    Arch Linux Security Advisory ASA-202005-14
    ==========================================
    
    Severity: High
    Date    : 2020-05-20
    CVE-ID  : CVE-2020-12662 CVE-2020-12663
    Package : unbound
    Type    : denial of service
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1164
    
    Summary
    =======
    
    The package unbound before version 1.10.1-1 is vulnerable to denial of
    service.
    
    Resolution
    ==========
    
    Upgrade to 1.10.1-1.
    
    # pacman -Syu "unbound>=1.10.1-1"
    
    The problems have been fixed upstream in version 1.10.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2020-12662 (denial of service)
    
    An issue has been found in unbound before 1.10.1, that makes it
    possible to have a single incoming query result in a large number of
    outgoing queries. This amplification makes it possible for Unbound to
    be used in a denial of service attack. The researchers discovering this
    called this attack the NXNSattack.This attack makes use of cache
    bypassing using random subdomains in the NSDNAME in NS records. When
    these delegation records are received during iteration, and the answer
    does not contain glue records, a resolver has to send out a query to
    the get the IP address for one of the names. When this query fails (for
    example because the random name does not exist) a resolver will try the
    next one. A large set of NS records with random names can result in a
    large number of outgoing queries going to the same target.
    
    - CVE-2020-12663 (denial of service)
    
    A security issue has been found in Unbound before 1.1.0.1, in the
    parser of received answers. Malformed answers received from upstream
    servers can result in Unbound entering an infinite loop and thereby
    becoming unresponsive.
    
    Impact
    ======
    
    A remote attacker can use the recursor has an amplification vector to
    cause a denial of service via a crafted reply. In addition, a remote
    attacker can crash the application via a crafted request.
    
    References
    ==========
    
    https://nlnetlabs.nl/projects/unbound/security-advisories/
    https://nlnetlabs.nl/downloads/unbound/patch_cve_2020-12662_2020-12663.diff
    https://www.nxnsattack.com/
    https://security.archlinux.org/CVE-2020-12662
    https://security.archlinux.org/CVE-2020-12663
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"7","type":"x","order":"1","pct":18.42,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"4","type":"x","order":"2","pct":10.53,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"27","type":"x","order":"3","pct":71.05,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.