CVE-2020-12663
published 2020-05-19CVE-2020-12663: Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.59%
88.0th percentile
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | unbound | < unbound 1.10.1-1 (bookworm) | unbound 1.10.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_unbound_1.10.0-5_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_unbound_1.10.0-3_on_cbl_mariner_1.0 | — | — |
| nlnetlabs | unbound | < 1.10.1 | 1.10.1 |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.10.1-1 | 1.10.1-1 |
| nlnetlabs | unbound | >= 0 < 1.6.7-1ubuntu2.3 | 1.6.7-1ubuntu2.3 |
| nlnetlabs | unbound | >= 0 < 1.9.4-2ubuntu1.1 | 1.9.4-2ubuntu1.1 |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-20:19.unbound: Multiple vulnerabilities in unbound
bsd_advisories·2020-07-08·CVSS 7.5
CVE-2020-12662 [HIGH] FreeBSD-SA-20:19.unbound: Multiple vulnerabilities in unbound
FreeBSD-SA-20:19.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2020-07-08
Affects: All supported versions of FreeBSD.
Corrected: 2020-05-24 16:47:27 UTC (stable/12, 12.1-STABLE)
2020-07-08 20:25:06 UTC (releng/12.1, 12.1-RELEASE-p7)
2020-05-24 11:47:27 UTC (stable/11, 11.4-STABLE)
2020-07-08 20:22:38 UTC (releng/11.4, 11.4-RELEASE-p1)
2020-07-08 20:20:59 UTC (releng/11.3, 11.3-RELEASE-p11)
CVE Name: CVE-2020-12662, CVE-2020-12663
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Unbound is a validating, recursive, and caching DNS resolver.
II. Problem Description
Ma
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2020-05-27·CVSS 7.5
CVE-2020-12662 [HIGH] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Unbound
incorrectly handled certain queries. A remote attacker could use this issue
to perform an amplification attack directed at a target. (CVE-2020-12662)
It was discovered that Unbound incorrectly handled certain malformed
answers. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service. (CVE-2020-12663)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
unbound: infinite loop via malformed DNS answers received from upstream servers
vendor_redhat·2020-05-19·CVSS 7.5
CVE-2020-12663 [HIGH] CWE-20 unbound: infinite loop via malformed DNS answers received from upstream servers
unbound: infinite loop via malformed DNS answers received from upstream servers
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
A flaw was found in unbound in versions prior to 1.10.1. An infinite loop can be created when malformed DNS answers are received from upstream servers. The highest threat from this vulnerability is to system availability.
Microsoft
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
vendor_msrc·2020-05-12·CVSS 7.5
CVE-2020-12663 [HIGH] CWE-835 Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Remediation: C
Debian
CVE-2020-12663: unbound - Unbound before 1.10.1 has an infinite loop via malformed DNS answers received fr...
vendor_debian·2020·CVSS 7.5
CVE-2020-12663 [HIGH] CVE-2020-12663: unbound - Unbound before 1.10.1 has an infinite loop via malformed DNS answers received fr...
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
Scope: local
bookworm: resolved (fixed in 1.10.1-1)
bullseye: resolved (fixed in 1.10.1-1)
forky: resolved (fixed in 1.10.1-1)
sid: resolved (fixed in 1.10.1-1)
trixie: resolved (fixed in 1.10.1-1)
GHSA
GHSA-rhjg-fh2p-jpv5: Unbound before 1
ghsa_unreviewed·2022-05-24
CVE-2020-12663 [MEDIUM] CWE-835 GHSA-rhjg-fh2p-jpv5: Unbound before 1
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
OSV
unbound vulnerabilities
osv·2020-05-27·CVSS 7.5
CVE-2020-12662 [HIGH] unbound vulnerabilities
unbound vulnerabilities
Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Unbound
incorrectly handled certain queries. A remote attacker could use this issue
to perform an amplification attack directed at a target. (CVE-2020-12662)
It was discovered that Unbound incorrectly handled certain malformed
answers. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service. (CVE-2020-12663)
OSV
CVE-2020-12663: Unbound before 1
osv·2020-05-19·CVSS 7.5
CVE-2020-12663 [HIGH] CVE-2020-12663: Unbound before 1
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers [fedora-all]
bugzilla·2020-05-19·CVSS 7.5
CVE-2020-12663 [HIGH] CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers [fedora-all]
CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
bugzilla·2020-05-19·CVSS 7.5
CVE-2020-12663 [HIGH] CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
References:
http://www.openwall.com/lists/oss-security/2020/05/19/5
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt
Discussion:
Created unbound tracking bugs for this issue:
Affects: fedora-all [bug 1837609]
---
Upstream fix:
https://github.com/NLnetLabs/unbound/commit/ba0f382eee814e56900a535778d13206b86b6d49
---
In reply to comment #2:
> Upstream fix:
> https://github.com/NLnetLabs/unbound/commit/
> ba0f382eee814e56900a535778d13206b86b6d49
According to https://github.com/NLnetLabs/unbound/issues/243#issuecomment-637298509, the changes related to this particular CVE
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.htmlhttp://www.openwall.com/lists/oss-security/2020/05/19/5https://lists.debian.org/debian-lts-announce/2021/02/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txthttps://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.aschttps://usn.ubuntu.com/4374-1/https://www.debian.org/security/2020/dsa-4694http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.htmlhttp://www.openwall.com/lists/oss-security/2020/05/19/5https://lists.debian.org/debian-lts-announce/2021/02/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txthttps://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.aschttps://usn.ubuntu.com/4374-1/https://www.debian.org/security/2020/dsa-4694
2020-05-19
Published