Date: Tue, 19 May 2020 12:40:00 +0200 From: Petr Špaček <petr.spacek@....cz> To: oss-security@...ts.openwall.com Subject: [CVE-2020-12667] Knot Resolver 5.1.1 NXNSAttack mitigation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, Knot Resolver versions before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. Minimal patch is attached but we generally do not recommend backporting. Knot Resolver version 5.1.1 includes mitigation and is available from https://www.knot-resolver.cz/download/ Longer description: DNS protocol vulnerability NXNSAttack, combined with Insufficient Control of Network Message Volume in iterator component of CZ.NIC Knot Resolver version 5.1.0 or older allows remote attacker to amplify network traffic towards victim's DNS servers via sending DNS query a vulnerable resolver and sending specially crafted answer from authoritative server under attacker's control. This is DNS protocol vulnerability affecting basically all DNS recursive resolvers. Other vendors requested separate CVE IDs for mitigation in their products. Further details: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/ Research paper: Paper describing the attack by Lior Shafir, Yehuda Afek, Anat Bremler-Barr is available from http://nxnsattack.com/ - -- Petr Špaček @ CZ.NIC -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl7Dt3gACgkQzo3WoaUK IeQJRg/9H8H19V7ond79EwN1rElEy+Hf1mp1IOqRZfDs23q0eIjfAi1epDRRBSVl wVp/OdQhE/qIcla/mNO1BvTAh9OwGk3QwMpoi6GuIIiSLcs/YRk8T3O3LTn0+sF1 7DUZc70HGICxdQmoja17Clv3mNz5GWkjuGJXyEuNZwVQa3A5hJrkfGz7vuTHXNmp h0CG9LIhvyuaP6SOxcE3Zl4iNDqnMgdCv1047ijVgUgkrA2Of0vOkDCHCV9Ee1mF 4TMuhpMREyWqtaoDF7I3ush0MabkD2sixgTZQ0So7xhtPm33/d+z5iYYak65qtny qT9zeLp8HzBW35TnG3eDUbuaEOtw/dmWX3LGJXvjxv2pWxiYlAWchT6vWqqrLC5a 4YJ06T4Yy3e4dsVkOi+ozV4MrRCWZQ/lj6rKRWvnbE9zkSSUsp7FXbpPlYpwHoIs VEqkzhxtwceH0y3WlmdRgM/SrSUFe31CHJrA/W7mdkkNOQi0vM/Dxr0YmGnZJQHK kfKkRklsk3at09h2tT/oK51mvyUQycV/dWlgBLkkN4u/PPe5rH5Sw308x74h/G4b sBJ7W61yXeV1BvyNsiGyUMNAQOwZ8hGXnQlrgW7K4RGsi0b8KxuwmQ/nRWdFf/Gn WXV6GdvF1S2IbHbqClZPKi3gt8exXd37K3YeIpPRX44gt82Rq8s= =J8cL -----END PGP SIGNATURE----- View attachment "CVE-2020-12667.patch" of type "text/x-patch" (4400 bytes) Download attachment "CVE-2020-12667.patch.sig" of type "application/octet-stream" (566 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.