Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
{"ubuntucve": [{"lastseen": "2023-06-28T13:48:33", "description": "Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS\nanswer from an attacker-controlled server, aka an \"NXNSAttack\" issue. This\nis triggered by random subdomains in the NSDNAME in NS records.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961076>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-12667", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12667"], "modified": "2020-05-19T00:00:00", "id": "UB:CVE-2020-12667", "href": "https://ubuntu.com/security/CVE-2020-12667", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:22:41", "description": "update to upstream version 5.1.3\n\n----\n\n - update to new upstream version\n\n----\n\n - fixes CVE-2020-12667\n\n----\n\nnew upstream release https://www.knot-resolver.cz/2020-04-29-knot-resolver-5.1.0.html\n\n----\n\n - bugfix for 5.0.0 release\n\n----\n\n - see https://knot-resolver.readthedocs.io/en/stable/upgrading .html\n\n - version 5.0 no longer support network interface configuration via systemd sockets and manual upgrade of configuration file is required for upgrades\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-09-21T00:00:00", "type": "nessus", "title": "Fedora 31 : knot-resolver (2020-52e28feab6)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12667"], "modified": "2020-09-23T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:knot-resolver", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2020-52E28FEAB6.NASL", "href": "https://www.tenable.com/plugins/nessus/140671", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-52e28feab6.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140671);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/23\");\n\n script_cve_id(\"CVE-2020-12667\");\n script_xref(name:\"FEDORA\", value:\"2020-52e28feab6\");\n\n script_name(english:\"Fedora 31 : knot-resolver (2020-52e28feab6)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"update to upstream version 5.1.3\n\n----\n\n - update to new upstream version\n\n----\n\n - fixes CVE-2020-12667\n\n----\n\nnew upstream release\nhttps://www.knot-resolver.cz/2020-04-29-knot-resolver-5.1.0.html\n\n----\n\n - bugfix for 5.0.0 release\n\n----\n\n - see\n https://knot-resolver.readthedocs.io/en/stable/upgrading\n .html\n\n - version 5.0 no longer support network interface\n configuration via systemd sockets and manual upgrade of\n configuration file is required for upgrades\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-52e28feab6\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected knot-resolver package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:knot-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"knot-resolver-5.1.3-1.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"knot-resolver\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:09", "description": "- fixes CVE-2020-12667\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-06-04T00:00:00", "type": "nessus", "title": "Fedora 32 : knot-resolver (2020-bf68101ad3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12667"], "modified": "2020-06-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:knot-resolver", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-BF68101AD3.NASL", "href": "https://www.tenable.com/plugins/nessus/137120", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-bf68101ad3.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137120);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/09\");\n\n script_cve_id(\"CVE-2020-12667\");\n script_xref(name:\"FEDORA\", value:\"2020-bf68101ad3\");\n\n script_name(english:\"Fedora 32 : knot-resolver (2020-bf68101ad3)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\" - fixes CVE-2020-12667\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-bf68101ad3\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected knot-resolver package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:knot-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"knot-resolver-5.1.1-1.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"knot-resolver\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-06-03T15:39:26", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-05-29T00:00:00", "type": "openvas", "title": "Fedora: Security Advisory for knot-resolver (FEDORA-2020-bf68101ad3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12667"], "modified": "2020-05-29T00:00:00", "id": "OPENVAS:1361412562310877891", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877891", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877891\");\n script_version(\"2020-05-29T08:53:11+0000\");\n script_cve_id(\"CVE-2020-12667\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-29 08:53:11 +0000 (Fri, 29 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-29 03:29:20 +0000 (Fri, 29 May 2020)\");\n script_name(\"Fedora: Security Advisory for knot-resolver (FEDORA-2020-bf68101ad3)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC32\");\n\n script_xref(name:\"FEDORA\", value:\"2020-bf68101ad3\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/76Y4FITMOH6RVPWAANGV7NB2ZHPJJGDQ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'knot-resolver'\n package(s) announced via the FEDORA-2020-bf68101ad3 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Knot Resolver is a DNSSEC-enabled caching full resolver implementation\nwritten in C and LuaJIT, including both a resolver library and a daemon.\nModular architecture of the library keeps the core tiny and efficient, and\nprovides a state-machine like API for extensions.\n\nThe package is pre-configured as local caching resolver.\nTo start using it, start a single kresd instance:\n$ systemctl start kresd(a)1.service\");\n\n script_tag(name:\"affected\", value:\"'knot-resolver' package(s) on Fedora 32.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC32\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"knot-resolver\", rpm:\"knot-resolver~5.1.1~1.fc32\", rls:\"FC32\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-27T17:53:26", "description": "Knot Resolver is prone to a denial of service vulnerability (NXNSAttack).", "cvss3": {}, "published": "2020-05-20T00:00:00", "type": "openvas", "title": "Knot Resolver < 5.1.1 NXNSAttack Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12667"], "modified": "2020-05-26T00:00:00", "id": "OPENVAS:1361412562310143941", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143941", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:nic:knot_resolver\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143941\");\n script_version(\"2020-05-26T08:07:04+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-26 08:07:04 +0000 (Tue, 26 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-20 03:16:44 +0000 (Wed, 20 May 2020)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2020-12667\");\n\n script_tag(name:\"qod_type\", value:\"executable_version_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Knot Resolver < 5.1.1 NXNSAttack Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_knot_resolver_detect.nasl\");\n script_mandatory_keys(\"knot/resolver/detected\");\n\n script_tag(name:\"summary\", value:\"Knot Resolver is prone to a denial of service vulnerability (NXNSAttack).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Knot Resolver allows traffic amplification via a crafted DNS answer from\n an attacker-controlled server, aka an 'NXNSAttack' issue. This is triggered by random subdomains in the\n NSDNAME in NS records.\");\n\n script_tag(name:\"affected\", value:\"Knot Resolver prior to version 5.1.1.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.1.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.knot-resolver.cz/2020-05-19-knot-resolver-5.1.1.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!infos = get_app_version_and_location(cpe: CPE, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"5.1.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.1.1\", install_path: location);\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2023-05-28T15:02:51", "description": "The Knot Resolver is a DNSSEC-enabled caching full resolver implementation written in C and LuaJIT, including both a resolver library and a daemon. Modular architecture of the library keeps the core tiny and efficient, and provides a state-machine like API for extensions. The package is pre-configured as local caching resolver. To start using it, start a single kresd instance: $ systemctl start kresd(a)1.service ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-28T04:15:32", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: knot-resolver-5.1.1-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12667"], "modified": "2020-05-28T04:15:32", "id": "FEDORA:8A9C76066BB5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/76Y4FITMOH6RVPWAANGV7NB2ZHPJJGDQ/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-06T15:26:39", "description": "The Knot Resolver is a DNSSEC-enabled caching full resolver implementation written in C and LuaJIT, including both a resolver library and a daemon. Modular architecture of the library keeps the core tiny and efficient, and provides a state-machine like API for extensions. The package is pre-configured as local caching resolver. To start using it, start a single kresd instance: $ systemctl start kresd(a)1.service ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-17T15:11:28", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: knot-resolver-5.1.3-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12667"], "modified": "2020-09-17T15:11:28", "id": "FEDORA:19EA930A6A20", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2EYFPLVYWBEOPXNFW5V2BBVB3XKBDLN4/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debiancve": [{"lastseen": "2023-06-06T14:55:52", "description": "Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an \"NXNSAttack\" issue. This is triggered by random subdomains in the NSDNAME in NS records.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-19T13:15:00", "type": "debiancve", "title": "CVE-2020-12667", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12667"], "modified": "2020-05-19T13:15:00", "id": "DEBIANCVE:CVE-2020-12667", "href": "https://security-tracker.debian.org/tracker/CVE-2020-12667", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2023-06-06T14:19:40", "description": "Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an \"NXNSAttack\" issue. This is triggered by random subdomains in the NSDNAME in NS records.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-19T13:15:00", "type": "cve", "title": "CVE-2020-12667", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12667"], "modified": "2020-05-28T07:15:00", "cpe": [], "id": "CVE-2020-12667", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12667", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": []}], "veracode": [{"lastseen": "2022-07-26T16:40:58", "description": "Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an \"NXNSAttack\" issue. This is triggered by random subdomains in the NSDNAME in NS records.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-06T21:39:28", "type": "veracode", "title": "NXNSAttack", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12667"], "modified": "2022-04-19T18:22:02", "id": "VERACODE:26262", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-26262/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:28", "description": "[](<https://thehackernews.com/images/-6Otjc0K81YI/XsURC2K9ILI/AAAAAAAAAWk/ZEwHO_G_M44DRlxyIjuMdBu0qhni6LYugCLcBGAsYHQ/s728-e100/dns-server-ddos-attack.jpg>)\n\nIsraeli cybersecurity researchers have disclosed details about a new flaw impacting DNS protocol that can be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to takedown targeted websites. \n \nCalled [NXNSAttack](<https://www.nxnsattack.com/>), the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker's choice, potentially causing a botnet-scale disruption to online services. \n \n\"We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers' IP addresses,\" the [researchers said](<https://www.nxnsattack.com/dns-ns-paper.pdf>) in the paper. \n \n\"We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.\" \n \nFollowing responsible disclosure of NXNSAttack, several of the companies in charge of the internet infrastructure, including PowerDNS ([CVE-2020-10995](<https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html>)), [CZ.NIC](<https://www.knot-resolver.cz/2020-05-19-knot-resolver-5.1.1.html>) (CVE-2020-12667), Cloudflare, Google, Amazon, Microsoft, Oracle-owned Dyn, Verisign, and IBM Quad9, have patched their software to address the problem. \n \nThe DNS infrastructure has been previously at the receiving end of a rash of DDoS attacks through the infamous [Mirai botnet](<https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html>), including those against Dyn DNS service in 2016, crippling some of the world's biggest sites, including Twitter, Netflix, Amazon, and Spotify. \n \n\n\n## The NXNSAttack Method\n\n \nA [recursive DNS lookup](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/reviewing-dns-concepts>) happens when a DNS server communicates with multiple authoritative DNS servers in a hierarchical sequence to locate an IP address associated with a domain (e.g., www.google.com) and return it to the client. \n \nThis resolution typically starts with the DNS resolver controlled by your ISPs or public DNS servers, like Cloudflare (1.1.1.1) or Google (8.8.8.8), whichever is configured with your system. \n \nThe resolver passes the request to an authoritative DNS name server if it's unable to locate the IP address for a given domain name. \n \nBut if the first authoritative DNS name server also doesn't hold the desired records, it returns the delegation message with addresses to the next authoritative servers to which DNS resolver can query. \n \n\n\n[](<https://thehackernews.com/images/-q6dPf38Ekzg/XsTkGbgXytI/AAAAAAAA2yo/j2oWAN8PDXUkALAI5cDwxiPBYISc3HcNACLcBGAsYHQ/s728-e100/dns-server-ddos-attack.jpg>)\n\n \nIn other words, an authoritative server tells the recursive resolver: \"I do not know the answer, go and query these and these name servers, e.g., ns1, ns2, etc., instead\". \n \nThis hierarchical process goes on until the DNS resolver reaches the correct authoritative server that provides the domain's IP address, allowing the user to access the desired website. \n \nResearchers found that these large undesired overheads can be exploited to trick recursive resolvers into forcefully continuously sending a large number of packets to a targeted domain instead of legitimate authoritative servers. \n \nIn order to mount the attack through a recursive resolver, the attacker must be in possession of an authoritative server, the researchers said. \n \n\"This can be easily achieved by buying a domain name. An adversary who acts as an authoritative server can craft any NS referral response as an answer to di\ufb00erent DNS queries,\" the researchers said. \n \nThe NXNSAttack works by sending a request for an attacker-controlled domain (e.g., \"attacker.com\") to a vulnerable DNS resolving server, which would forward the DNS query to the attacker-controlled authoritative server. \n \nInstead of returning addresses to the actual authoritative servers, the attacker-controlled authoritative server responds to the DNS query with a list of fake server names or subdomains controlled by the threat actor that points to a victim DNS domain. \n \nThe DNS server, then, forwards the query to all the nonexistent subdomains, creating a massive surge in traffic to the victim site. \n \nThe researchers said the attack can amplify the number of packets exchanged by the recursive resolver by as much as a factor of more than 1,620, thereby overwhelming not only the DNS resolvers with more requests they can handle, but also flood the target domain with superfluous requests and take it down. \n \n\n\n[](<https://thehackernews.com/images/-F2uU3Dxl9cg/XsTllgfwZzI/AAAAAAAA2y0/Vf_blpDs8_ge_MqBw1gPHj6u6rL3Dwr_gCLcBGAsYHQ/s728-e100/dns-server-ddos-attack-1.jpg>)\n\n \nWhat's more, using a botnet such as the Mirai as a DNS client can further augment the scale of the attack. \n \n\"Controlling and acquiring a huge number of clients and a large number of authoritative NSs by an attacker is easy and cheap in practice,\" the researchers said. \n \n\"Our initial goal was to investigate the efficiency of recursive resolvers and their behavior under different attacks, and we ended up finding a new seriously looking vulnerability, the NXNSAttack,\" the researchers concluded. \n \n\"The key ingredients of the new attack are (i) the ease with which one can own or control an authoritative name server, and (ii) the usage of nonexistent domain names for name servers and (iii) the extra redundancy placed in the DNS structure to achieve fault tolerance and fast response time,\" they added. \n \nIt's highly recommended that network administrators who run their own DNS servers update their DNS resolver software to the latest version.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-20T11:16:00", "type": "thn", "title": "New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10995", "CVE-2020-12667"], "modified": "2020-05-20T11:16:00", "id": "THN:B16A54F3A6063EA035782D8584261F00", "href": "https://thehackernews.com/2020/05/dns-server-ddos-attack.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
CVE-2020-12667
