NSD
- About
- Download
- Support
- RFC Compliance
- Security Advisories
We take security very seriously. If you have found a security issue in NSD, please submit a security report.
Local symlink attack
| Date: | 2020-12-01 |
|---|---|
| CVE: | CVE-2020-28935 |
| Credit: | Mason Loring Bliss |
| Affects: | NSD 4.3.3 and earlier versions |
| Not affected: | NSD 4.3.4 and later |
| Severity: | Low |
| Impact: | Denial of Service |
| Solution: | Upgrade to NSD 4.3.4 or newer |
NSD when writing and later chown'ing the PID file would not check if an existing file was a symlink. This is a local vulnerability that could create a Denial of Service of the system NSD is running on. It requires an attacker having access to the limited permission user NSD runs as and point through the symlink to a critical file on the system.
NSD 4.3.4 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on the NSD source directory with patch -p1 < patch_cve-2020-28935_nsd.diff and then run make install to install NSD.
NSD time sensitive TSIG compare vulnerability
| Date: | 2018-07-30 |
|---|---|
| Credit: | Ondrej Sury (ISC) |
| Affects: | NSD 4.1.22 and earlier versions |
| Not affected: | NSD 4.1.23 and later |
| Severity: | Low |
| Impact: | Potential key leakage |
| Solution: | Upgrade to NSD 4.1.23 or newer |
NSD uses TSIG to protect zone transfers. The TSIG code uses a secret key to protect the data. The secret key is shared with both sides of the zone transfer connection. The comparison code in NSD was not time insensitive, causing the potential for an attacker to use timing information to discover data about the key contents.
Denial of service via a zone transfer with unlimited data
| Date: | 2016-07-06 |
|---|---|
| CVE: | CVE-2016-6173 |
| Credit: | Toshifumi Sakaguchi |
| Affects: | NSD 4.1.10 and earlier versions |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | Denial of Service |
| Solution: | Upgrade to NSD 4.1.11 or newer |
NSD before 4.1.11 allows remote DNS master servers to cause a denial of service (/tmp disk consumption and slave server crash) via a zone transfer with unlimited data. size-limit-xfr was implemented in NSD 4.1.11 to stop it from downloading infinite zone transfer data size.