Executive Summary

Summary
Title Unbound multiple denial-of-service vulnerabilities
Informations
Name VU#209659 First vendor Publication 2011-12-19
Vendor VU-CERT Last vendor Modification 2011-12-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#209659

Unbound multiple denial-of-service vulnerabilities

Overview

A specially crafted DNS query containing signed duplicate resource records or a malformed NSEC3 signed resource record may cause Unbound to crash.

I. Description

NLnetLabs advisory states:

    == Description 1: crash on signed duplicate Resource Records

    There are authoritative servers that erroneously send duplicated redirection Resource Records. Unbound has had a workaround that deals with this problem since version 1.0.1 whereby it ignores the duplicate answers. At the time, likely, no DNSSEC signed versions of such zones existed and only recently such misbehaving authority servers also started serving signed duplicate RRs causing improper memory allocation in a portion of the workaround code.

    Referencing this improper allocated data causes a crash which can look like 'uninitialised lock', segmentation faults or free() errors as it tries to free memory that was never allocated.

    == Description 2: crash on missing NSEC3 Resource Records.

    If an authority server sends a reply for an NSEC3-signed zone, and Unbound is configured to validate that zone, then a malformed response can trigger an assertion failure: when an authority server sends a response that contains RR types that trigger special processing and where part of the non-existence proof is missing then an assertion failure is triggered in unbound. This response case was observed in the wild on authority servers that host zones at different points in the hierarchy at the same time.

    The code crashes at assertion failure validator/val_nsec3.c:1214: nsec3_do_prove_nodata: assertion ce.nc_rrset failed Or, if assertions are not compiled it, it crashes soon after as it attempts to access an expected NSEC3 RR.


Additional details can be found in the full NLnetLabs Unbound advisory.

II. Impact

A remote, unauthenticated attacker could cause the Unbound daemon to crash creating a denial-of-service condition.

III. Solution

Apply an Update
This vulnerability has been addressed in Unbound 1.4.14 and 1.4.13p2. The following patch may also be applied to resolve the issue:

For unbound version 1.4.0 - 1.4.13 the patch is:
http://www.unbound.net/downloads/patch_CVE-2011-4528_unbound_140-1413.diff

For unbound version 1.0.1 - 1.3.4 the patch is:
http://www.unbound.net/downloads/patch_CVE-2011-4528_unbound_101-134.diff

Vendor Information

VendorStatusDate NotifiedDate Updated
NLnet LabsAffected2011-12-142011-12-19

References

http://www.unbound.net/downloads/CVE-2011-4528.txt
http://www.unbound.net/download.html

Credit

This vulnerability was found by Christopher Olah and reported by NLnetLabs.

This document was written by Michael Orlando.

Other Information

Date Public:2011-12-19
Date First Published:2011-12-19
Date Last Updated:2011-12-19
CERT Advisory: 
CVE-ID(s):CVE-2011-4528
NVD-ID(s):CVE-2011-4528
US-CERT Technical Alerts: 
Severity Metric:0.99
Document Revision:15


This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/209659

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15048
 
Oval ID: oval:org.mitre.oval:def:15048
Title: DSA-2370-1 unbound -- several
Description: It was discovered that Unbound, a recursive DNS resolver, would crash when processing certain malformed DNS responses from authoritative DNS servers, leading to denial of service. CVE-2011-4528 Unbound attempts to free unallocated memory during processing of duplicate CNAME records in a signed zone. CVE-2011-4869 Unbound does not properly process malformed responses which lack expected NSEC3 records.
Family: unix Class: patch
Reference(s): DSA-2370-1
CVE-2011-4528
CVE-2011-4869
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): unbound
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 41

OpenVAS Exploits

Date Description
2012-04-02 Name : Fedora Update for unbound FEDORA-2011-17282
File : nvt/gb_fedora_2011_17282_unbound_fc16.nasl
2012-02-11 Name : Debian Security Advisory DSA 2370-1 (unbound)
File : nvt/deb_2370_1.nasl
2012-01-09 Name : Fedora Update for unbound FEDORA-2011-17337
File : nvt/gb_fedora_2011_17337_unbound_fc15.nasl
2011-12-20 Name : Unbound Multiple Denial of Service Vulnerabilities
File : nvt/gb_unbound_51115.nasl
0000-00-00 Name : FreeBSD Ports: unbound
File : nvt/freebsd_unbound0.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
77910 Unbound NSEC3-Signed Zones Response Parsing Remote DoS

77909 Unbound Duplicate Resource Record Parsing Remote DoS

Nessus® Vulnerability Scanner

Date Description
2013-11-29 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201311-18.nasl - Type : ACT_GATHER_INFO
2012-01-17 Name : The remote name server is affected by multiple denial of service vulnerabilit...
File : unbound_1_4_14.nasl - Type : ACT_GATHER_INFO
2012-01-12 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2370.nasl - Type : ACT_GATHER_INFO
2012-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2011-17282.nasl - Type : ACT_GATHER_INFO
2012-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2011-17337.nasl - Type : ACT_GATHER_INFO
2011-12-20 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_7ba65bfd2a4011e1b96e00215af774f0.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:07:36
  • Multiple Updates