#VU29248 Resource exhaustion in Knot Resolver - CVE-2020-12667


Vulnerability identifier: #VU29248

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-12667

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Knot Resolver
Server applications / Other server solutions

Vendor: Nic

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing NSDNAME in NS records. A remote attacker can perform traffic amplification via a crafted DNS answer from an attacker-controlled server. This vulnerability is dubbed "NXNSAttack".

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Knot Resolver: 1.0 - 5.1.0

External links
https://cyber-security-group.cs.tau.ac.il/#
https://www.openwall.com/lists/oss-security/2020/05/19/2
https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/76Y4FITMOH6RVPWAANGV7NB2ZHPJJGDQ/
https://www.knot-resolver.cz/2020-05-19-knot-resolver-5.1.1.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for knot-resolver
Fedora 31 update for knot-resolver
Fedora 31 update for knot-resolver
Resource exhaustion in knot-resolver (Alpine package)
DNS amplification attack in Knot Resolver
Fedora 30 update for knot-resolver
Fedora 31 update for knot-resolver
Fedora EPEL 7 update for knot-resolver
Fedora EPEL 8 update for knot-resolver
Fedora 32 update for knot-resolver