CVE-2020-12662

HIGH

Unbound < 1.10.1 - Denial of Service via NXNSAttack

Title source: llm
STIX 2.1

Description

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.

References (13)

Core 13
Core References
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/05/19/5
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4694
Third Party Advisory x_refsource_confirm
https://www.synology.com/security/advisory/Synology_SA_20_12
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4374-1/
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200702-0006/
Third Party Advisory vendor-advisory x_refsource_freebsd
https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html
Technical Description x_refsource_misc
http://www.nxnsattack.com

Scores

CVSS v3 7.5
EPSS 0.1551
EPSS Percentile 94.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (10)
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.10
canonical/ubuntu_linux 20.04
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 32
nlnetlabs/unbound < 1.10.1
opensuse/leap 15.1
opensuse/leap 15.2
Published May 19, 2020
Tracked Since Feb 18, 2026