| Bug ID | 1171900 |
|---|---|
| Summary | VUL-0: CVE-2020-12667: knot: NXNSAttack mitigation |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.1 |
| Hardware | Other |
| URL | https://smash.suse.de/issue/259649/ |
| OS | Other |
| Status | NEW |
| Severity | Minor |
| Priority | P5 - None |
| Component | Security |
| Assignee | mrueckert@suse.com |
| Reporter | rfrohl@suse.com |
| QA Contact | security-team@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
Hello, Knot Resolver versions before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. Minimal patch is attached but we generally do not recommend backporting. Knot Resolver version 5.1.1 includes mitigation and is available from https://www.knot-resolver.cz/download/ Longer description: DNS protocol vulnerability NXNSAttack, combined with Insufficient Control of Network Message Volume in iterator component of CZ.NIC Knot Resolver version 5.1.0 or older allows remote attacker to amplify network traffic towards victim's DNS servers via sending DNS query a vulnerable resolver and sending specially crafted answer from authoritative server under attacker's control. This is DNS protocol vulnerability affecting basically all DNS recursive resolvers. Other vendors requested separate CVE IDs for mitigation in their products. Further details: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/ Research paper: Paper describing the attack by Lior Shafir, Yehuda Afek, Anat Bremler-Barr is available from http://nxnsattack.com/ - -- Petr ��pa��ek @ CZ.NIC References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12667 http://seclists.org/oss-sec/2020/q2/125