Bugzilla – Bug 908990
VUL-0: CVE-2014-8602: unbound: following endless delegations
Last modified: 2015-02-19 04:18:13 UTC
http://www.unbound.net/pipermail/unbound-users/2014-December/003662.html The CVE number for this vulnerability is CVE-2014-8602. == Summary The resolver can be tricked into following an endless series of delegations, this consumes a lot of resources. A patch is available that limits the number of fetches performed for a query. == Description Resolvers fetch the content for domain names by sending queries to authority servers on the internet. One of the responses that authority servers can return is a referral response, which points to further servers to continue the lookup. To continue the lookup, resolvers may have to perform recursion, where new names, called glue, from the referral response have to be looked up to continue the query resolution. The issue here is a lack of limiting on the recursion fetches performed to figure out a particular query. The authority server is a special set-up that responds with an infinite amount of glue. This then causes the resolver to spend a lot of resources diving into the infinite glue looking up names, only find out it needs to look up even more names. == Impact The impact for unbound is fairly low, combined with a tricky to exploit vulnerability. The packet rate, however, can be fairly high. The exploit needs a lot specific glue setup on the authority server, or even a special-purpose trick-authority-server. A trigger query has to be sent to unbound. Unbound will spend a lot of resources on this query, and this will impact unbound's cpu and network resources. Unbound may therefore lose some ability or timeliness for the service of customer queries (a denial of service). Unbound will continue to respond normally for cached queries. == Remote Exploit This is not a remote code execution exploit, this vulnerability consumes CPU and network resources. == Remedy A very simple workaround is to ignore the problem and let existing anti-DoS systems in unbound deal with the issue. It will consume a lot of resources, but other customers will (most likely) continue to get service. If affected, unbound-control flush_requestlist provides temporary relief, but the issue could resume (immediately). Putting the maliciously sent query in local-data, or using access-control to block the malicious query sending IP would workaround that exploit set-up. The config statement do-not-query-address: IPorNetblock can be used to block a specific authority server. The proper fix is a patch, which is available: http://unbound.net/downloads/patch_cve_2014_8602.diff == Solution The solution is a code patch, apply this patch with patch -p0 < the_patch_file. Then recompile and install unbound. == Acknowledgement Florian Maury (ANSSI)
unbound, in server:dns, has been updated to 1.5.1 which includes the fix for CVE-2014-8602 and the package submitted to Factory.
unbound was included into openSUSE:13.2 with version 1.4.22. I'm not 100% sure if we should do a version upgrade of unbound or if it is possible to backport the CVE-2014-8602 fix. The idea is to keep openSUSE stable so that configurations are still working after an update. Version 1.5.0 had quite some feature enhancements. I cannot estimate the impact of those functions.
I've created a maintenance branch and request as the patch applies cleanly to 1.4.22. See https://build.opensuse.org/request/show/264551
openSUSE-SU-2014:1688-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 908990 CVE References: CVE-2014-8602 Sources used: openSUSE 13.2 (src): unbound-1.4.22-4.2