Hello everyone, here are some details on the vulnerability (fix) disclosed today. Impact ====== Some DNS packets might take even a few seconds to process with full CPU utilization, allowing DoS. Unembargo date ============== Wednesday 4th December 2019, afternoon GMT Fixes ===== Most of the issue can be mitigated by updating libknot dependency to >= 2.9.1. Otherwise a complete fix was released in Knot Resolver 4.3.0, which also does not require libknot update. The attached patches are applicable to recent releases (when doc diff is stripped). [Affected version (required)]: Knot Resolver <= 4.2.2 [Fixed version (optional)]: Knot Resolver 4.3.0 [Vulnerability type]: CWE-407: Inefficient Algorithmic Complexity [Impact of exploitation]: Denial of service through high CPU utilization. [Description of vulnerability]: DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB). To execute an attack it is enough to: + own a rogue authoritative server or utilize an existing name with a huge RRset, and + trigger DNS query for that name from the resolver to be attacked Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): None Integrity (I): None Availability (A): High Technical Details: CWE-407 [Reference URL]: https://gitlab.labs.nic.cz/knot/knot-resolver/tags/v4.3.0 --Vladimir