CVE-2020-28935

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.

References

https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html

https://security.gentoo.org/glsa/202101-38

https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt

https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt

Details

Source: MITRE

Published: 2020-12-07

Updated: 2021-02-12

Type: CWE-59

Risk Information

CVSS v2

Base Score: 2.1

Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 1.8

Severity: MEDIUM

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
153267EulerOS 2.0 SP2 : unbound (EulerOS-SA-2021-2436)NessusHuawei Local Security Checks
critical
151378EulerOS Virtualization 3.0.2.2 : unbound (EulerOS-SA-2021-2172)NessusHuawei Local Security Checks
high
151275Amazon Linux 2 : unbound (ALAS-2021-1683)NessusAmazon Linux Local Security Checks
critical
149938Oracle Linux 8 : unbound (ELSA-2021-1853)NessusOracle Linux Local Security Checks
critical
149745CentOS 8 : unbound (CESA-2021:1853)NessusCentOS Local Security Checks
critical
149675RHEL 8 : unbound (RHSA-2021:1853)NessusRed Hat Local Security Checks
critical
149324Ubuntu 18.04 LTS / 20.04 LTS : Unbound vulnerabilities (USN-4938-1)NessusUbuntu Local Security Checks
critical
149150EulerOS 2.0 SP3 : unbound (EulerOS-SA-2021-1857)NessusHuawei Local Security Checks
medium
148040EulerOS 2.0 SP5 : unbound (EulerOS-SA-2021-1709)NessusHuawei Local Security Checks
medium
147670EulerOS Virtualization 2.9.0 : unbound (EulerOS-SA-2021-1634)NessusHuawei Local Security Checks
high
147617EulerOS Virtualization 2.9.1 : unbound (EulerOS-SA-2021-1629)NessusHuawei Local Security Checks
high
147596EulerOS Virtualization for ARM 64 3.0.2.0 : unbound (EulerOS-SA-2021-1401)NessusHuawei Local Security Checks
medium
147520EulerOS Virtualization 3.0.2.6 : unbound (EulerOS-SA-2021-1426)NessusHuawei Local Security Checks
medium
147099EulerOS Virtualization for ARM 64 3.0.6.0 : unbound (EulerOS-SA-2021-1579)NessusHuawei Local Security Checks
medium
147055EulerOS Virtualization 3.0.6.6 : unbound (EulerOS-SA-2021-1523)NessusHuawei Local Security Checks
medium
146862Photon OS 1.0: Unbound PHSA-2021-1.0-0362NessusPhotonOS Local Security Checks
medium
146778Photon OS 3.0: Unbound PHSA-2021-3.0-0197NessusPhotonOS Local Security Checks
medium
146770Photon OS 2.0: Unbound PHSA-2021-2.0-0320NessusPhotonOS Local Security Checks
medium
146527Debian DLA-2556-1 : unbound1.9 security updateNessusDebian Local Security Checks
high
145740EulerOS 2.0 SP8 : unbound (EulerOS-SA-2021-1176)NessusHuawei Local Security Checks
medium
145564GLSA-202101-38 : NSD: Symbolic link traversalNessusGentoo Local Security Checks
medium
144662EulerOS 2.0 SP9 : unbound (EulerOS-SA-2021-1018)NessusHuawei Local Security Checks
medium
144659EulerOS 2.0 SP9 : unbound (EulerOS-SA-2021-1037)NessusHuawei Local Security Checks
medium
144193FreeBSD : Unbound/NSD -- Denial of service vulnerability (388ebb5b-3c95-11eb-929d-d4c9ef517024)NessusFreeBSD Local Security Checks
medium
144120openSUSE Security Update : nsd (openSUSE-2020-2222)NessusSuSE Local Security Checks
critical