http://bugzilla.opensuse.org/show_bug.cgi?id=1171900 Bug ID: 1171900 Summary: VUL-0: CVE-2020-12667: knot: NXNSAttack mitigation Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/259649/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: mrueckert@suse.com Reporter: rfrohl@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- Hello, Knot Resolver versions before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. Minimal patch is attached but we generally do not recommend backporting. Knot Resolver version 5.1.1 includes mitigation and is available from https://www.knot-resolver.cz/download/ Longer description: DNS protocol vulnerability NXNSAttack, combined with Insufficient Control of Network Message Volume in iterator component of CZ.NIC Knot Resolver version 5.1.0 or older allows remote attacker to amplify network traffic towards victim's DNS servers via sending DNS query a vulnerable resolver and sending specially crafted answer from authoritative server under attacker's control. This is DNS protocol vulnerability affecting basically all DNS recursive resolvers. Other vendors requested separate CVE IDs for mitigation in their products. Further details: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-k... Research paper: Paper describing the attack by Lior Shafir, Yehuda Afek, Anat Bremler-Barr is available from http://nxnsattack.com/ - -- Petr Špaček @ CZ.NIC References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12667 http://seclists.org/oss-sec/2020/q2/125 -- You are receiving this mail because: You are on the CC list for the bug.