UNBOUND
- About
- Download
- Support
- RFC Compliance
- Security Advisories
We take security very seriously. If you have found a security issue in Unbound, please submit a security report.
Local symlink attack
| Date: | 2020-12-01 |
|---|---|
| CVE: | CVE-2020-28935 |
| Credit: | Mason Loring Bliss |
| Affects: | Unbound up to and including version 1.12.0 |
| Not affected: | Other versions |
| Severity: | Low |
| Impact: | Denial of Service |
| Solution: | Download patched version of Unbound, or apply the patch manually |
Unbound when writing and later chown'ing the PID file would not check if an existing file was a symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound is running on. It requires an attacker having access to the limited permission user Unbound runs as and point through the symlink to a critical file on the system.
Unbound 1.13.0 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on the Unbound source directory with patch -p1 < patch_cve-2020-28935_unbound.diff and then run make install to install Unbound.
Vulnerability in Domain Parse
| Date: | 2020-05-19 |
|---|---|
| CVE: | CVE-2020-12663 |
| Credit: | OSS-Fuzz project |
| Affects: | Unbound up to and including version 1.10.0 |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | Unbound is unresponsive |
| Solution: | Download patched version of Unbound, or apply the patch manually |
Fuzzing of the Unbound code made us aware of issues in the parser of received answers. Malformed answers received from upstream servers can result in Unbound entering an infinite loop and thereby becoming unresponsive. When compiled with --enable-debug it is also possible to trigger an assertion, resulting in Unbound to crash.
Unbound 1.10.1 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on Unbound source directory with patch -p1 < filename, then run make install to install Unbound.
NXNSAttack
| Date: | 2020-05-19 |
|---|---|
| CVE: | CVE-2020-12662 |
| Credit: | Lior Shafir, Yehuda Afek, and Anat Bremler-Barr from Tel Aviv University |
| Affects: | Unbound up to and including version 1.10.0 |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | Unbound performs amplification |
| Solution: | Download patched version of Unbound, or apply the patch manually |
Researchers from Tel Aviv University discovered an issue in Unbound and other DNS resolvers that makes it possible to have a single incoming query result in a large number of outgoing queries. This amplification makes it possible for Unbound to be used in a denial of service attack. The researchers discovering this called this attack the NXNSattack.
This attack makes use of cache bypassing using random subdomains in the NSDNAME in NS records. When these delegation records are received during iteration, and the answer does not contain glue records, a resolver has to send out a query to the get the IP address for one of the names. When this query fails (for example because the random name does not exist) a resolver will try the next one. A large set of NS records with random names can result in a large number of outgoing queries going to the same target. More details about this attack will be available in the research paper.
Unbound 1.10.1 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on Unbound source directory with patch -p1 < filename, then run make install to install Unbound.
Vulnerability in IPSEC module
| Date: | 2019-11-19 |
|---|---|
| CVE: | CVE-2019-18934 |
| Credit: | X41 D-Sec |
| Affects: | Unbound 1.6.4 up to and including version 1.9.4 |
| Not affected: | Other versions |
| Severity: | Critical |
| Impact: | Shell code execution after a specially crafted answer |
| Solution: | Download patched version of Unbound, or apply the patch manually |
Due to unsanitized characters passed to the ipsecmod-hook shell command, it is possible for Unbound to allow shell code execution from a specially crafted IPSECKEY answer.
This issue can only be triggered when all of the below conditions are met:
- unbound was compiled with --enable-ipsecmod support, and
- ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and
- a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
- unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.
The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type == 3) contain a specially crafted domain name.
Unbound 1.9.5 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on Unbound source directory with patch -p1 < filename, then run make install to install Unbound.
Vulnerability in parsing NOTIFY queries
| Date: | 2019-10-03 |
|---|---|
| CVE: | CVE-2019-16866 |
| Credit: | X41 D-Sec |
| Affects: | Unbound 1.7.1 up to and including version 1.9.3 |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | Crash after receiving a specially crafted query |
| Solution: | Download patched version of Unbound, or apply the patch manually |
Due to an error in parsing NOTIFY queries, it is possible for Unbound to continue processing malformed queries and may ultimately result in a pointer dereference in uninitialized memory. This results in a crash of the Unbound daemon.
Unbound 1.9.4 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on Unbound source directory with patch -p0 < filename, then run make install to install Unbound.
Vulnerability in the processing of wildcard synthesized NSEC records
| Date: | 2018-01-23 |
|---|---|
| CVE: | CVE-2017-15105 |
| Credit: | Ralph Dolmans (NLnet Labs), Karst Koymans (University of Amsterdam) |
| Affects: | Unbound 1.6.7 and earlier versions |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | The wildcard NSEC record can be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record |
| Solution: | Download patched version of Unbound, or apply the patch manually |
We discovered a vulnerability in the processing of wildcard synthesized NSEC records. While synthesis of NSEC records is allowed by RFC4592, these synthesized owner names should not be used in the NSEC processing. This does, however, happen in Unbound 1.6.7 and earlier versions.
Unbound 1.6.8 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on Unbound source directory with patch -p0 < filename, then run make install to install Unbound.
A special thanks goes out to Karst Koymans (University of Amsterdam) for sparking the discovery of this vulnerability by Ralph Dolmans (NLnet Labs).
Ghost domain names attack
| Date: | 2012-02-17 |
|---|---|
| CVE: | CVE-2012-1192 |
| Credit: | ISC |
| Affects: | Unbound 1.4.11 and earlier versions |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | Remote attackers can trigger continued resolvability of revoked domain names |
| Solution: | Upgrade to a newer version of Unbound |
The resolver in Unbound before 1.4.11 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. To resolve this issue, upgrade to a newer version of Unbound.
Incorrect proof processing for NSEC3-signed zone
| Date: | 2011-12-20 |
|---|---|
| CVE: | CVE-2011-4869 |
| Affects: | Unbound 1.4.13p2 and earlier versions |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | Denial of service (daemon crash) |
| Exploit: | DNS servers can send a malformed response that lacks expected NSEC3 records |
| Solution: | Upgrade to a newer version of Unbound |
validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly perform proof processing for NSEC3-signed zones, which allows remote DNS servers to cause a denial of service (daemon crash) via a malformed response that lacks expected NSEC3 records, a different vulnerability than CVE-2011-4528.
Unbound 1.4.14 contains a patch, but 1.4.14rc1 is vulnerable. If you cannot upgrade you can also apply a patch. For unbound version 1.4.0 - 1.4.13, apply this patch and for version 1.0.1 - 1.3.4 use this patch. To do this, apply the patch on Unbound source directory with patch -p0 < filename, then run make install to install Unbound.
Processing of duplicate CNAME records in a signed zone
| Date: | 2011-12-20 |
|---|---|
| CVE: | CVE-2011-4528 |
| Affects: | Unbound 1.4.13p2 and earlier versions |
| Not affected: | Other versions |
| Severity: | Medium |
| Impact: | Denial of service (daemon crash) |
| Exploit: | Remotely send a crafted response |
| Solution: | Upgrade to a newer version of Unbound |
Unbound crashes when confronted with a non-standard response from a server for a domain. This domain produces duplicate RRs from a certain type and is DNSSEC signed. Unbound also crashes when confronted with a query that eventually, and under specific circumstances, resolves to a domain that misses expected NSEC3 records.
Unbound 1.4.14 contains a patch, but 1.4.14rc1 is vulnerable. If you cannot upgrade you can also apply a patch. For unbound version 1.4.0 - 1.4.13, apply this patch and for version 1.0.1 - 1.3.4 use this patch. To do this, apply the patch on Unbound source directory with patch -p0 < filename, then run make install to install Unbound.