iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.

According to its self-reported version number, the remote Unbound DNS resolver is affected by a denial of service vulnerability in the Domain Name Service due to improper handling of a maliciously-constructed zone or queries from a rogue server. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause the service to issue unlimited queries in an attempt to follow a delegation, resulting in a denial of service condition.

A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources.
(CVE-2014-8602)

This update also fixes the following bugs :

  - Prior to this update, there was a mistake in the time     configuration in the cron job invoking unbound-anchor to     update the root zone key. Consequently, unbound-anchor     was invoked once a month instead of every day, thus not     complying with RFC 5011. The cron job has been replaced     with a systemd timer unit that is invoked on a daily     basis. Now, the root zone key validity is checked daily     at a random time within a 24-hour window, and compliance     with RFC 5011 is ensured.

  - Previously, the unbound packages were installing their     configuration file for the systemd-tmpfiles utility into     the /etc/tmpfiles.d/ directory. As a consequence,     changes to unbound made by the administrator in     /etc/tmpfiles.d/ could be overwritten on package     reinstallation or update. To fix this bug, unbound has     been amended to install the configuration file into the     /usr/lib/tmpfiles.d/ directory. As a result, the system     administrator's configuration in /etc/tmpfiles.d/ is     preserved, including any changes, on package     reinstallation or update.

  - The unbound server default configuration included     validation of DNS records using the DNSSEC Look-aside     Validation (DLV) registry. The Internet Systems     Consortium (ISC) plans to deprecate the DLV registry     service as no longer needed, and unbound could execute     unnecessary steps. Therefore, the use of the DLV     registry has been removed from the unbound server     default configuration. Now, unbound does not try to     perform DNS records validation using the DLV registry.

Updated unbound packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources.
(CVE-2014-8602)

This update also fixes the following bugs :

* Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key.
Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured. (BZ#1180267)

* Previously, the unbound packages were installing their configuration file for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a consequence, changes to unbound made by the administrator in /etc/tmpfiles.d/ could be overwritten on package reinstallation or update. To fix this bug, unbound has been amended to install the configuration file into the /usr/lib/tmpfiles.d/ directory. As a result, the system administrator's configuration in /etc/tmpfiles.d/ is preserved, including any changes, on package reinstallation or update. (BZ#1180995)

* The unbound server default configuration included validation of DNS records using the DNSSEC Look-aside Validation (DLV) registry. The Internet Systems Consortium (ISC) plans to deprecate the DLV registry service as no longer needed, and unbound could execute unnecessary steps. Therefore, the use of the DLV registry has been removed from the unbound server default configuration. Now, unbound does not try to perform DNS records validation using the DLV registry. (BZ#1223339)

All unbound users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2015-2455 advisory.

    - Fix CVE-2014-8602 (#1253961)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Florian Maury from ANSSI discovered that unbound, a validating, recursive, and caching DNS resolver, was prone to a denial of service vulnerability. An attacker crafting a malicious zone and able to emit (or make emit) queries to the server can trick the resolver into following an endless series of delegations, leading to resource exhaustion and huge network usage.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2484-1 advisory.

    Florian Maury discovered that Unbound incorrectly handled delegation. A remote attacker could possibly use     this issue to cause Unbound to consume resources, resulting in a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This unbound update fixes the following secuirty issue.

  - boo#908990: following endless delegations     (CVE-2014-8602)

Security fix for CVE-2014-8602

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2014-8602 new release fix build on aarch64 new upstream version

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Florian Maury from ANSSI discovered that unbound, a validating, recursive, and caching DNS resolver, was prone to a denial of service vulnerability. An attacker crafting a malicious zone and able to emit (or make emit) queries to the server can trick the resolver into following an endless series of delegations, leading to resource exhaustion and huge network usage.

Unbound developer reports :

The resolver can be tricked into following an endless series of delegations, this consumes a lot of resources.

ID	Name	Product	Family	Severity
87870	Unbound < 1.5.1 Delegation Handling Recursive Referral Handling Resource Exhaustion DoS	Nessus	DNS	medium
87577	Scientific Linux Security Update : unbound on SL7.x x86_64 (20151119)	Nessus	Scientific Linux Local Security Checks	medium
87159	CentOS 7 : unbound (CESA-2015:2455)	Nessus	CentOS Local Security Checks	medium
87041	Oracle Linux 7 : unbound (ELSA-2015-2455)	Nessus	Oracle Linux Local Security Checks	high
86991	RHEL 7 : unbound (RHSA-2015:2455)	Nessus	Red Hat Local Security Checks	medium
82091	Debian DLA-107-1 : unbound security update	Nessus	Debian Local Security Checks	medium
81019	Ubuntu 14.04 LTS : Unbound vulnerability (USN-2484-1)	Nessus	Ubuntu Local Security Checks	high
80246	openSUSE Security Update : unbound (openSUSE-SU-2014:1688-1)	Nessus	SuSE Local Security Checks	medium
80231	F5 Networks BIG-IP : Unbound vulnerability (SOL15931)	Nessus	F5 Networks Local Security Checks	medium
80142	Fedora 20 : unbound-1.5.1-2.fc20 (2014-16671)	Nessus	Fedora Local Security Checks	medium
80140	Fedora 21 : unbound-1.5.1-2.fc21 (2014-16647)	Nessus	Fedora Local Security Checks	medium
79884	Debian DSA-3097-1 : unbound - security update	Nessus	Debian Local Security Checks	medium
79810	FreeBSD : unbound -- can be tricked into following an endless series of delegations, this consumes a lot of resources (10d73529-7f4b-11e4-af66-00215af774f0)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2014-8602

high

Tenable Plugins

medium

medium

medium

high

medium

medium

high

medium

medium

medium

medium

medium

medium