Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2020-12667] Knot Resolver 5.1.1 NXNSAttack mitigation

Related Vulnerabilities: CVE-2020-12667  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2020-12667] Knot Resolver 5.1.1 NXNSAttack mitigation

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Petr Špaček &lt;petr.spacek () nic cz&gt;

Date: Tue, 19 May 2020 12:40:00 +0200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

Knot Resolver versions before 5.1.1 allows traffic amplification via
a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue.

Minimal patch is attached but we generally do not recommend backporting.

Knot Resolver version 5.1.1 includes mitigation and is available from
https://www.knot-resolver.cz/download/

Longer description:
DNS protocol vulnerability NXNSAttack, combined with Insufficient
Control of Network Message Volume in iterator component of CZ.NIC Knot
Resolver version 5.1.0 or older allows remote attacker to amplify
network traffic towards victim's DNS servers via sending DNS query a
vulnerable resolver and sending specially crafted answer from
authoritative server under attacker's control.

This is DNS protocol vulnerability affecting basically all DNS
recursive resolvers. Other vendors requested separate CVE IDs for
mitigation in their products.

Further details:
https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/

Research paper:
Paper describing the attack by Lior Shafir, Yehuda Afek, Anat
Bremler-Barr is available from http://nxnsattack.com/

- -- 
Petr Špaček  @  CZ.NIC

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl7Dt3gACgkQzo3WoaUK
IeQJRg/9H8H19V7ond79EwN1rElEy+Hf1mp1IOqRZfDs23q0eIjfAi1epDRRBSVl
wVp/OdQhE/qIcla/mNO1BvTAh9OwGk3QwMpoi6GuIIiSLcs/YRk8T3O3LTn0+sF1
7DUZc70HGICxdQmoja17Clv3mNz5GWkjuGJXyEuNZwVQa3A5hJrkfGz7vuTHXNmp
h0CG9LIhvyuaP6SOxcE3Zl4iNDqnMgdCv1047ijVgUgkrA2Of0vOkDCHCV9Ee1mF
4TMuhpMREyWqtaoDF7I3ush0MabkD2sixgTZQ0So7xhtPm33/d+z5iYYak65qtny
qT9zeLp8HzBW35TnG3eDUbuaEOtw/dmWX3LGJXvjxv2pWxiYlAWchT6vWqqrLC5a
4YJ06T4Yy3e4dsVkOi+ozV4MrRCWZQ/lj6rKRWvnbE9zkSSUsp7FXbpPlYpwHoIs
VEqkzhxtwceH0y3WlmdRgM/SrSUFe31CHJrA/W7mdkkNOQi0vM/Dxr0YmGnZJQHK
kfKkRklsk3at09h2tT/oK51mvyUQycV/dWlgBLkkN4u/PPe5rH5Sw308x74h/G4b
sBJ7W61yXeV1BvyNsiGyUMNAQOwZ8hGXnQlrgW7K4RGsi0b8KxuwmQ/nRWdFf/Gn
WXV6GdvF1S2IbHbqClZPKi3gt8exXd37K3YeIpPRX44gt82Rq8s=
=J8cL
-----END PGP SIGNATURE-----
Attachment:
CVE-2020-12667.patch
Description: 
Attachment:
CVE-2020-12667.patch.sig
Description: 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2020-12667] Knot Resolver 5.1.1 NXNSAttack mitigation Petr Špaček (May 19)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started