Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13551 closed enhancement (fixed)

unbound-1.10.1

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Contains security fixes, unsure of other change notes.


Hello,

Below is a copy of Unbound's CVE description that can be found at
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt

Regards,
Ralph

==

Two vulnerabilities have been discovered in Unbound: CVE-2020-12662 and
CVE-2020-12663.

== Summary
= CVE-2020-12662
Unbound can be tricked into amplifying an incoming query into a large
number of queries directed to a target.

= CVE-2020-12663
Malformed answers from upstream name servers can be used to make Unbound
unresponsive.

== Affected products
All version of Unbound up to and including 1.10.0

== Description
= CVE-2020-12662
Researchers from Tel Aviv University discovered an issue in Unbound and
other DNS resolvers that makes it possible to have a single incoming
query result in a large number of outgoing queries. This amplification
makes it possible for Unbound to be used in a denial of service
attack. The researchers discovering this called this attack the NXNSattack.

This attack makes use of cache bypassing using random subdomains in the
NSDNAME in NS records. When these delegation records are received during
iteration, and the answer does not contain glue records, a resolver has
to send out a query to the get the IP address for one of the names. When
this query fails (for example because the random name does not exist) a
resolver will try the next one. A large set of NS records with random
names can result in a large number of outgoing queries going to the same
target. More details about this attack are available in the research
paper, available at http://www.nxnsattack.com/.

= CVE-2020-12663
Fuzzing of the Unbound code made us aware of issues in the parser of
received answers. Malformed answers received from upstream servers can
result in Unbound entering an infinite loop and thereby becoming
unresponsive. When compiled with --enable-debug it is also possible to
trigger an assertion, resulting in Unbound to crash.

== Solution
Download patched version of Unbound, or apply the patch manually.

+ Downloading patched version
Unbound 1.10.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.10.1.tar.gz

+ Applying the Patch manually
For Unbound 1.10.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_cve_2020-12662_2020-12663.diff

Apply the patch containing fixes for both issues, using:
'patch -p1 < patch_cve_2020-12662_2020-12663.diff'
then run 'make install' to install Unbound.

== Acknowledgments
We would like to thank Lior Shafir, Yehuda Afek, and Anat Bremler-Barr
from Tel Aviv University for their work on the NXNSattack.

We would like to thank the OSS-Fuzz project for the discoveries
resulting in CVE-2020-12663.

Change History (4)

comment:1 by Bruce Dubbs, 4 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 23176.

comment:3 by Bruce Dubbs, 4 years ago

Milestone: 9.210,0

Milestone renamed

comment:4 by Bruce Dubbs, 4 years ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.