A flaw was found in Unbound in the way it writes its PID file during startup. A local attacker with access to the unbound user could abuse this issue to create a symbolic link where unbound is going to write its PID file, so that a following start of unbound would follow the symlink and write the PID in another file chosen by the attacker. This operation could overflow files owned by root on the system. Upstream issue: https://github.com/NLnetLabs/unbound/issues/303
Created unbound tracking bugs for this issue: Affects: fedora-all [bug 1878762]
Mitigation: If SELinux is enabled in Enforcing mode (the default value in Red Hat Enterprise Linux 8), this kind of attack is prevented as unbound would be blocked from accessing the symbolic link file.
Acknowledgments: Name: Mason Loring Bliss (Red Hat)
Upstream patch: https://github.com/NLnetLabs/unbound/commit/ad387832979b6ce4c93f64fe706301cd7d034e87
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1853 https://access.redhat.com/errata/RHSA-2021:1853
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28935
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0632 https://access.redhat.com/errata/RHSA-2022:0632