F5F5:K37661551K37661551 : Unbound DNS Cache vulnerabilities CVE-2020-12662 and CVE-2020-12663
Security Advisory Description
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an “NXNSAttack” issue. This is triggered by random subdomains in the NSDNAME in NS records.
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
Impact
There are three types of DNS cache configurations available on the BIG-IP system: a transparent cache, a resolver cache, and a validating resolver cache. Only BIG-IP systems licensed for DNS services and using the DNS Cache feature are vulnerable.
Notes:
- The DNS Cache feature is available only when you license the BIG-IP system for DNS Services, but you do NOT have to provision the BIG-IP GTM or BIG-IP DNS module on your BIG-IP system.
- Starting with BIG-IP 12.0.0, F5 renamed BIG-IP GTM to BIG-IP DNS.
DNS Express does not use Unbound and is not vulnerable to either CVE-2020-12662 or CVE-2020-12663.
CVE-2020-12662
When the DNS Cache feature is enabled on the BIG-IP system, an attacker may exploit this vulnerability to generate a large number of communications between the BIG-IP system and the victim’s authoritative DNS server to cause a denial-of-service (DoS) attack.
Note: For more information about NXNSAttack, refer to the NXNSAttack research paper.
CVE-2020-12663
A remote attacker may be able to perform a DoS attack on a DNS cache configured on the BIG-IP system by causing Unbound to become unresponsive.
Related
