CVE-2020-12662
published 2020-05-19CVE-2020-12662: Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.17%
86.4th percentile
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | unbound | < unbound 1.10.1-1 (bookworm) | unbound 1.10.1-1 (bookworm) |
| debian | unbound | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_unbound_1.10.0-5_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_unbound_1.10.0-3_on_cbl_mariner_1.0 | — | — |
| nlnetlabs | unbound | < 1.10.1 | 1.10.1 |
| nlnetlabs | unbound | — | — |
| nlnetlabs | unbound | — | — |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.6.7-1ubuntu2.3 | 1.6.7-1ubuntu2.3 |
| nlnetlabs | unbound | >= 0 < 1.9.4-2ubuntu1.1 | 1.9.4-2ubuntu1.1 |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-20:19.unbound: Multiple vulnerabilities in unbound
bsd_advisories·2020-07-08·CVSS 7.5
CVE-2020-12662 [HIGH] FreeBSD-SA-20:19.unbound: Multiple vulnerabilities in unbound
FreeBSD-SA-20:19.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2020-07-08
Affects: All supported versions of FreeBSD.
Corrected: 2020-05-24 16:47:27 UTC (stable/12, 12.1-STABLE)
2020-07-08 20:25:06 UTC (releng/12.1, 12.1-RELEASE-p7)
2020-05-24 11:47:27 UTC (stable/11, 11.4-STABLE)
2020-07-08 20:22:38 UTC (releng/11.4, 11.4-RELEASE-p1)
2020-07-08 20:20:59 UTC (releng/11.3, 11.3-RELEASE-p11)
CVE Name: CVE-2020-12662, CVE-2020-12663
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Unbound is a validating, recursive, and caching DNS resolver.
II. Problem Description
Ma
Red Hat
unbound: incomplete fix for CVE-2020-12662 in RHEL7
vendor_redhat·2020-06-10·CVSS 7.5
CVE-2020-10772 [HIGH] CWE-406 unbound: incomplete fix for CVE-2020-12662 in RHEL7
unbound: incomplete fix for CVE-2020-12662 in RHEL7
An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.
An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower ampli
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2020-05-27·CVSS 7.5
CVE-2020-12662 [HIGH] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Unbound
incorrectly handled certain queries. A remote attacker could use this issue
to perform an amplification attack directed at a target. (CVE-2020-12662)
It was discovered that Unbound incorrectly handled certain malformed
answers. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service. (CVE-2020-12663)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
unbound: amplification of an incoming query into a large number of queries directed to a target
vendor_redhat·2020-05-19·CVSS 7.5
CVE-2020-12662 [HIGH] CWE-406 unbound: amplification of an incoming query into a large number of queries directed to a target
unbound: amplification of an incoming query into a large number of queries directed to a target
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
A network amplification vulnerability was found in Unbound, in the way it processes delegation messages from one authoritative zone to another. This flaw allows an attacker to cause a denial of service or be part of an attack against another DNS server when Unbound is deployed as a recursive resolver or authoritative name server.
Microsoft
Unbound before 1.10.1 has Insufficient Control of Network Message Volume aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
vendor_msrc·2020-05-12·CVSS 7.5
CVE-2020-12662 [HIGH] CWE-400 Unbound before 1.10.1 has Insufficient Control of Network Message Volume aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
Unbound before 1.10.1 has Insufficient Control of Network Message Volume aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner:
Debian
CVE-2020-10772: unbound - An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterpri...
vendor_debian·2020·CVSS 7.5
CVE-2020-10772 [HIGH] CVE-2020-10772: unbound - An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterpri...
An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Debian
CVE-2020-12662: unbound - Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an...
vendor_debian·2020·CVSS 7.5
CVE-2020-12662 [HIGH] CVE-2020-12662: unbound - Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an...
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
Scope: local
bookworm: resolved (fixed in 1.10.1-1)
bullseye: resolved (fixed in 1.10.1-1)
forky: resolved (fixed in 1.10.1-1)
sid: resolved (fixed in 1.10.1-1)
trixie: resolved (fixed in 1.10.1-1)
GHSA
GHSA-g6qm-p3jr-vj64: An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2020-10772 [HIGH] CWE-400 GHSA-g6qm-p3jr-vj64: An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414
An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.
GHSA
GHSA-w2pr-2387-vxgh: Unbound before 1
ghsa_unreviewed·2022-05-24
CVE-2020-12662 [MEDIUM] CWE-674 GHSA-w2pr-2387-vxgh: Unbound before 1
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
OSV
unbound vulnerabilities
osv·2020-05-27·CVSS 7.5
CVE-2020-12662 [HIGH] unbound vulnerabilities
unbound vulnerabilities
Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Unbound
incorrectly handled certain queries. A remote attacker could use this issue
to perform an amplification attack directed at a target. (CVE-2020-12662)
It was discovered that Unbound incorrectly handled certain malformed
answers. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service. (CVE-2020-12663)
OSV
CVE-2020-12662: Unbound before 1
osv·2020-05-19·CVSS 7.5
CVE-2020-12662 [HIGH] CVE-2020-12662: Unbound before 1
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-10772 unbound: incomplete fix for CVE-2020-12662 in RHEL7
bugzilla·2020-06-10·CVSS 7.5
CVE-2020-10772 [HIGH] CVE-2020-10772 unbound: incomplete fix for CVE-2020-12662 in RHEL7
CVE-2020-10772 unbound: incomplete fix for CVE-2020-12662 in RHEL7
The fix for CVE-2020-12662 as shipped in Red Hat Enterprise Linux 7 (with version 1.6.6-4.el7_8 of Unbound delivered with https://access.redhat.com/errata/RHSA-2020:2414) is not complete and it still allows amplification of an incoming query into a bigger number of queries directed to a target. This issue is about the incomplete fix for CVE-2020-12662 and it does not affect upstream versions of unbound.
For more details about the original issue, refer to bug 1837597.
Discussion:
Even though the original fix for CVE-2020-12662 was incomplete, it slightly improved the situation over an unpatched version of Unbound, reducing the amplification ratio of a possible attack.
---
This issue has been addressed in the following
Bugzilla
CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target [fedora-all]
bugzilla·2020-05-19·CVSS 7.5
CVE-2020-12662 [HIGH] CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target [fedora-all]
CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE:
Bugzilla
CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target
bugzilla·2020-05-19·CVSS 7.5
CVE-2020-12662 [HIGH] CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target
CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
References:
http://www.openwall.com/lists/oss-security/2020/05/19/5
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt
http://www.nxnsattack.com
Discussion:
Created unbound tracking bugs for this issue:
Affects: fedora-all [bug 1837598]
---
Upstream fix:
https://github.com/NLnetLabs/unbound/commit/ba0f382eee814e56900a535778d13206b86b6d49
---
The attack model of this attack involves: one or more DNS clients on the Internet (either directly controlled by the attacker or e.g. through a botn
Bugzilla
CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
bugzilla·2020-05-19·CVSS 7.5
CVE-2020-12663 [HIGH] CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
References:
http://www.openwall.com/lists/oss-security/2020/05/19/5
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt
Discussion:
Created unbound tracking bugs for this issue:
Affects: fedora-all [bug 1837609]
---
Upstream fix:
https://github.com/NLnetLabs/unbound/commit/ba0f382eee814e56900a535778d13206b86b6d49
---
In reply to comment #2:
> Upstream fix:
> https://github.com/NLnetLabs/unbound/commit/
> ba0f382eee814e56900a535778d13206b86b6d49
According to https://github.com/NLnetLabs/unbound/issues/243#issuecomment-637298509, the changes related to this particular CVE
arXiv
ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing
arxiv_fulltext·2023-10-04
ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing
: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing
https://faculty.sites.uci.edu/zhouli/research/ Qifan Zhang ,
https://faculty.sites.uci.edu/zhouli/research/ Xuesong Bai ,
https://netsec.ccert.edu.cn/people/lx19 Xiang Li ,
https://netsec.ccert.edu.cn/people/duanhx/ Haixin Duan ,
https://netsec.ccert.edu.cn/people/qli/ Qi Li , and
https://faculty.sites.uci.edu/zhouli/ Zhou Li
Corresponding authors. Most of Xiang Li's work was done when visiting UCI as a project specialist.
https://uci.edu/University of California, Irvine,
https://www.tsinghua.edu.cn/en/Tsinghua University
Zhongguancun Laboratory,
https://www.qcl.edu.cn/Quan Cheng Laboratory
## Abstract
Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.htmlhttp://www.nxnsattack.comhttp://www.openwall.com/lists/oss-security/2020/05/19/5https://lists.debian.org/debian-lts-announce/2021/02/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txthttps://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.aschttps://security.netapp.com/advisory/ntap-20200702-0006/https://usn.ubuntu.com/4374-1/https://www.debian.org/security/2020/dsa-4694https://www.synology.com/security/advisory/Synology_SA_20_12http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.htmlhttp://www.nxnsattack.comhttp://www.openwall.com/lists/oss-security/2020/05/19/5https://lists.debian.org/debian-lts-announce/2021/02/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txthttps://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.aschttps://security.netapp.com/advisory/ntap-20200702-0006/https://usn.ubuntu.com/4374-1/https://www.debian.org/security/2020/dsa-4694https://www.synology.com/security/advisory/Synology_SA_20_12
2020-05-19
Published