CVE-2020-12662 – CVE-2020-12662 is a DNS amplification vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-12662?

CVE-2020-12662 has a CVSS score of 7.5 (HIGH). CVE-2020-12662 is a DNS amplification vulnerability in Unbound DNS resolver where attackers can trigger random subdomain queries via malicious NS records, causing denial of service through resource exhaustion. This affects any system running vulnerable Unbound versions as a DNS resolver. The attack exploits insufficient control over network message volume.

📋 TL;DR

CVE-2020-12662 is a DNS amplification vulnerability in Unbound DNS resolver where attackers can trigger random subdomain queries via malicious NS records, causing denial of service through resource exhaustion. This affects any system running vulnerable Unbound versions as a DNS resolver. The attack exploits insufficient control over network message volume.

💻 Affected Systems

Products:

Unbound DNS resolver

Versions: All versions before 1.10.1

Operating Systems: Linux, BSD, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where Unbound is configured as a recursive resolver. Forwarding-only configurations may be less vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete DNS resolver unavailability due to resource exhaustion, disrupting all DNS resolution for dependent systems and potentially causing cascading network failures.

🟠

Likely Case

Degraded DNS performance, increased latency, and intermittent service disruptions affecting applications relying on DNS resolution.

🟢

If Mitigated

Minimal impact with proper rate limiting, query validation, and updated software.

🌐 Internet-Facing: HIGH - DNS resolvers are typically internet-facing and directly exposed to malicious queries.

🏢 Internal Only: MEDIUM - Internal DNS resolvers could be targeted through compromised internal systems or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted DNS queries with malicious NS records. The nxnsattack.com website demonstrates the technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.1 and later

Vendor Advisory: https://nlnetlabs.nl/projects/unbound/security-advisories/

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Unbound service. 3. Update to Unbound 1.10.1 or later via package manager or source compilation. 4. Restart Unbound service. 5. Verify service is running and resolving correctly.

🔧 Temporary Workarounds

Rate limiting configuration

linux

Configure aggressive rate limiting to reduce impact of amplification attacks

Add to unbound.conf: server: ratelimit: 1000
Add to unbound.conf: server: ratelimit-size: 4m

Query validation hardening

linux

Configure stricter validation of incoming DNS queries

Add to unbound.conf: server: val-permissive-mode: no
Add to unbound.conf: server: val-clean-additional: yes

🧯 If You Can't Patch

Implement network-level rate limiting using firewall rules to limit DNS query volume
Deploy DNS query filtering/proxying solution in front of vulnerable Unbound instances

🔍 How to Verify

Check if Vulnerable:

Check Unbound version with: unbound -V | grep version

Check Version:

unbound -V

Verify Fix Applied:

Verify version is 1.10.1 or higher: unbound -V | grep 'version 1\.1[0-9]\|version [2-9]'

📡 Detection & Monitoring

Log Indicators:

Unusual spike in DNS queries
Multiple queries for random subdomains
High CPU/memory usage in Unbound logs

Network Indicators:

Abnormal DNS query patterns with random subdomains
DNS amplification traffic from internal resolvers

SIEM Query:

source="unbound.log" AND ("query" AND "random" OR "NXNS" OR "amplification")

📊 Metadata

CVE ID: CVE-2020-12662

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: May 19, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html Mailing List,Third Party Advisory
http://www.nxnsattack.com Technical Description
http://www.openwall.com/lists/oss-security/2020/05/19/5 Mailing List,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt Vendor Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0006/ Third Party Advisory
https://usn.ubuntu.com/4374-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4694 Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_20_12 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html Mailing List,Third Party Advisory
http://www.nxnsattack.com Technical Description
http://www.openwall.com/lists/oss-security/2020/05/19/5 Mailing List,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I/
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt Vendor Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0006/ Third Party Advisory
https://usn.ubuntu.com/4374-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4694 Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_20_12 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12662, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Unbound by Nlnetlabs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Rate limiting configuration

Query validation hardening

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities