Insufficient Control of Network Message Volume (Network Amplification) Affecting unbound-libs package, versions <0:1.7.3-11.el8_2
Threat Intelligence
EPSS
1.54% (88th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CENTOS8-UNBOUNDLIBS-2040164
- published 26 Jul 2021
- disclosed 19 May 2020
How to fix?
Upgrade Centos:8 unbound-libs to version 0:1.7.3-11.el8_2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream unbound-libs package and not the unbound-libs package as distributed by Centos.
See How to fix? for Centos:8 relevant fixed versions and status.
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
References
- https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt
- https://security.netapp.com/advisory/ntap-20200702-0006/
- https://www.synology.com/security/advisory/Synology_SA_20_12
- https://access.redhat.com/security/cve/CVE-2020-12662
- https://www.debian.org/security/2020/dsa-4694
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc
- http://www.nxnsattack.com
- https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html
- http://www.openwall.com/lists/oss-security/2020/05/19/5
- https://access.redhat.com/errata/RHSA-2020:2416
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html
- https://usn.ubuntu.com/4374-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/
CVSS Scores
version 3.1