CVE-2020-28935
published 2020-12-07CVE-2020-28935: NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow…
PriorityP421medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.48%
38.1th percentile
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | nsd | < nsd 4.3.4-1 (bookworm) | nsd 4.3.4-1 (bookworm) |
| debian | unbound | < nsd 4.3.4-1 (bookworm) | nsd 4.3.4-1 (bookworm) |
| msrc | cbl2_unbound_1.10.0-5_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_unbound_1.10.0-4_on_cbl_mariner_1.0 | — | — |
| nlnet_labs | nsd | <= 4.3.3 | — |
| nlnet_labs | unbound | <= 1.12.0 | — |
| nlnetlabs | name_server_daemon | < 4.3.4 | 4.3.4 |
| nlnetlabs | nsd | >= 0 < 4.3.4-1 | 4.3.4-1 |
| nlnetlabs | nsd | >= 0 < 4.3.4-1 | 4.3.4-1 |
| nlnetlabs | nsd | >= 0 < 4.3.4-1 | 4.3.4-1 |
| nlnetlabs | nsd | >= 0 < 4.3.4-1 | 4.3.4-1 |
| nlnetlabs | unbound | < 1.13.0 | 1.13.0 |
| nlnetlabs | unbound | >= 0 < 1.13.0-1 | 1.13.0-1 |
| nlnetlabs | unbound | >= 0 < 1.13.0-1 | 1.13.0-1 |
| nlnetlabs | unbound | >= 0 < 1.13.0-1 | 1.13.0-1 |
| nlnetlabs | unbound | >= 0 < 1.13.0-1 | 1.13.0-1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2021-05-06
CVE-2019-25031 Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
It was discovered that Unbound contained multiple security issues. A
remote attacker could possibly use these issues to cause a denial of
service, inject arbitrary commands, execute arbitrary code, and overwrite
local files.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Local symlink attack in Unbound and NSD
vendor_msrc·2020-12-08·CVSS 5.5
CVE-2020-28935 [MEDIUM] CWE-59 Local symlink attack in Unbound and NSD
Local symlink attack in Unbound and NSD
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
NLnet Labs: NLnet Labs
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micro
Red Hat
unbound: symbolic link traversal when writing PID file
vendor_redhat·2020-09-09·CVSS 5.5
CVE-2020-28935 [MEDIUM] CWE-59 unbound: symbolic link traversal when writing PID file
unbound: symbolic link traversal when writing PID file
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to
Debian
CVE-2020-28935: nsd - NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up t...
vendor_debian·2020·CVSS 5.5
CVE-2020-28935 [MEDIUM] CVE-2020-28935: nsd - NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up t...
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is
GHSA
GHSA-q92f-7cwj-w4w5: NLnet Labs Unbound, up to and including version 1
ghsa_unreviewed·2022-05-24
CVE-2020-28935 [MEDIUM] CWE-59 GHSA-q92f-7cwj-w4w5: NLnet Labs Unbound, up to and including version 1
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is
OSV
CVE-2020-28935: NLnet Labs Unbound, up to and including version 1
osv·2020-12-07·CVSS 5.5
CVE-2020-28935 [MEDIUM] CVE-2020-28935: NLnet Labs Unbound, up to and including version 1
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-28935 unbound: symbolic link traversal when writing PID file
bugzilla·2020-09-14·CVSS 5.5
CVE-2020-28935 [MEDIUM] CVE-2020-28935 unbound: symbolic link traversal when writing PID file
CVE-2020-28935 unbound: symbolic link traversal when writing PID file
A flaw was found in Unbound in the way it writes its PID file during startup. A local attacker with access to the unbound user could abuse this issue to create a symbolic link where unbound is going to write its PID file, so that a following start of unbound would follow the symlink and write the PID in another file chosen by the attacker. This operation could overflow files owned by root on the system.
Upstream issue:
https://github.com/NLnetLabs/unbound/issues/303
Discussion:
Created unbound tracking bugs for this issue:
Affects: fedora-all [bug 1878762]
---
Mitigation:
If SELinux is enabled in Enforcing mode (the default value in Red Hat Enterprise Linux 8), this kind of attack is prevented as unbound would be
Bugzilla
CVE-2020-28935 unbound: symbolic link traversal when writing PID file [fedora-all]
bugzilla·2020-09-14·CVSS 5.5
CVE-2020-28935 [MEDIUM] CVE-2020-28935 unbound: symbolic link traversal when writing PID file [fedora-all]
CVE-2020-28935 unbound: symbolic link traversal when writing PID file [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ver
https://lists.debian.org/debian-lts-announce/2021/02/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/03/msg00024.htmlhttps://security.gentoo.org/glsa/202101-38https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txthttps://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txthttps://lists.debian.org/debian-lts-announce/2021/02/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/03/msg00024.htmlhttps://security.gentoo.org/glsa/202101-38https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txthttps://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt
2020-12-07
Published