Bug 1837597 (CVE-2020-12662) - CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target
Summary: CVE-2020-12662 unbound: amplification of an incoming query into a large numbe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12662
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Petr Sklenar
URL:
Whiteboard:
Depends On: 1837598 1839171 1839172 1839174 1839175 1839176 1839177 1839178 1879514
Blocks: 1837616
TreeView+ depends on / blocked
 
Reported: 2020-05-19 17:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-08 10:33 UTC (History)
8 users (show)

Fixed In Version: unbound 1.10.1
Doc Type: If docs needed, set a value
Doc Text:
A network amplification vulnerability was found in Unbound, in the way it processes delegation messages from one authoritative zone to another. This flaw allows an attacker to cause a denial of service or be part of an attack against another DNS server when Unbound is deployed as a recursive resolver or authoritative name server.
Clone Of:
Environment:
Last Closed: 2020-06-08 11:20:27 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2510 0 None None None 2020-06-10 17:52:53 UTC
Red Hat Product Errata RHBA-2020:2536 0 None None None 2020-06-11 18:11:17 UTC
Red Hat Product Errata RHBA-2020:2537 0 None None None 2020-06-11 18:34:11 UTC
Red Hat Product Errata RHBA-2020:2887 0 None None None 2020-07-09 15:01:05 UTC
Red Hat Product Errata RHSA-2020:2414 0 None None None 2020-06-08 08:24:30 UTC
Red Hat Product Errata RHSA-2020:2416 0 None None None 2020-06-08 09:37:26 UTC
Red Hat Product Errata RHSA-2020:2418 0 None None None 2020-06-08 10:17:10 UTC
Red Hat Product Errata RHSA-2020:2419 0 None None None 2020-06-08 10:24:39 UTC
Red Hat Product Errata RHSA-2020:2640 0 None None None 2020-06-22 07:21:06 UTC
Red Hat Product Errata RHSA-2020:4181 0 None None None 2020-10-06 14:22:39 UTC

Description Guilherme de Almeida Suckevicz 2020-05-19 17:36:09 UTC
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.

References:
http://www.openwall.com/lists/oss-security/2020/05/19/5
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt
http://www.nxnsattack.com

Comment 1 Guilherme de Almeida Suckevicz 2020-05-19 17:36:32 UTC
Created unbound tracking bugs for this issue:

Affects: fedora-all [bug 1837598]

Comment 3 Riccardo Schirone 2020-05-22 15:34:57 UTC
The attack model of this attack involves: one or more DNS clients on the Internet (either directly controlled by the attacker or e.g. through a botnet), an attacker-controlled authoritative DNS system (either bought or a legitimate compromised one) and a regular recursive resolver.

During the DNS resolution process to resolve name xxx.yyyy.zzz, an authoritative name server for e.g. .yyyy.zzz can return a list of names that could help in the resolution of the original request. For each of these new names, Unbound checks whether it is already in cache, otherwise it starts a new resolution process to find out its IP address. Due to the attacker controlling an authoritative DNS system, he can make the server respond to such queries with a long list of non-existent name servers, bypassing the cache system and creating additional queries starting from the recursive resolver.

Depending on the non-existent name servers returned, it is possible to perform 3 kinds of attacks:
1) a recursive resolver attack, which forces the victim recursive resolver to processes a large amount of packets for each two packets the attacker components generate (claimed bandwitdth amplification is 132x)
2) an authoritative Second Level Domain(SLD) attack, where all the name servers in the malicious reply of the attacker controlled name server are sub-domains of a victim SLD (claimed bandwidth amplification is 21x)
3) ROOT/Top Level Domain (TLD) attack, which uses the self delegations technique to increase the number of concurrent referrals to the ROOT name-servers.

Comment 5 Riccardo Schirone 2020-05-22 15:49:47 UTC
Raising the Impact to Important as, according to our Severity ratings, this flaw allows remote users to cause a denial of service.

Comment 16 errata-xmlrpc 2020-06-08 08:24:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2414 https://access.redhat.com/errata/RHSA-2020:2414

Comment 17 errata-xmlrpc 2020-06-08 09:37:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2416 https://access.redhat.com/errata/RHSA-2020:2416

Comment 18 errata-xmlrpc 2020-06-08 10:17:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2418 https://access.redhat.com/errata/RHSA-2020:2418

Comment 19 errata-xmlrpc 2020-06-08 10:24:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2419 https://access.redhat.com/errata/RHSA-2020:2419

Comment 21 Product Security DevOps Team 2020-06-08 11:20:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12662

Comment 26 errata-xmlrpc 2020-06-22 07:21:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2640 https://access.redhat.com/errata/RHSA-2020:2640

Comment 27 Anna Khaitovich 2020-09-09 09:05:06 UTC
Removing needinfo as the bug is resolved

Comment 30 errata-xmlrpc 2020-10-06 14:22:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:4181 https://access.redhat.com/errata/RHSA-2020:4181


Note You need to log in before you can comment on or make changes to this bug.