Arch Linux Security Advisory ASA-201412-8
========================================
Severity: High
Date    : 2014-12-09
CVE-ID  : CVE-2014-8602
Package : unbound
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package unbound before version 1.5.1-1 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 1.5.1-1.

# pacman -Syu "unbound>=1.5.1-1"

The problem has been fixed upstream in version 1.5.1.

Workaround
=========
A very simple workaround is to ignore the problem and let existing
anti-DoS systems in unbound deal with the issue.  It will consume a lot of
resources, but other customers will (most likely) continue to get service.

If affected, unbound-control flush_requestlist provides temporary relief,
but the issue could resume (immediately).  Putting the maliciously sent
query in local-data, or using access-control to block the malicious
query sending IP would workaround that exploit set-up.  The config
statement do-not-query-address: IPorNetblock can be used to block a
specific authority server.

Description
==========
The resolver can be tricked into following an endless series of
delegations, this consumes a lot of resources.

Resolvers fetch the content for domain names by sending queries to
authority servers on the internet.  One of the responses that authority
servers can return is a referral response, which points to further
servers to continue the lookup.  To continue the lookup, resolvers
may have to perform recursion, where new names, called glue, from the
referral response have to be looked up to continue the query resolution.

The issue here is a lack of limiting on the recursion fetches performed
to figure out a particular query.  The authority server is a special
set-up that responds with an infinite amount of glue.  This then causes
the resolver to spend a lot of resources diving into the infinite glue
looking up names, only find out it needs to look up even more names.

Impact
=====
A remote attacker can trick unbound into consuming a lot of resources by
sending a specially crafted query.

References
=========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602
https://nlnetlabs.nl/downloads/unbound/CVE-2014-8602.txt

ArchLinux: 201412-8: unbound: denial of service

December 9, 2014

Summary

The resolver can be tricked into following an endless series of delegations, this consumes a lot of resources. Resolvers fetch the content for domain names by sending queries to authority servers on the internet. One of the responses that authority servers can return is a referral response, which points to further servers to continue the lookup. To continue the lookup, resolvers may have to perform recursion, where new names, called glue, from the referral response have to be looked up to continue the query resolution.
The issue here is a lack of limiting on the recursion fetches performed to figure out a particular query. The authority server is a special set-up that responds with an infinite amount of glue. This then causes the resolver to spend a lot of resources diving into the infinite glue looking up names, only find out it needs to look up even more names.

Resolution

Upgrade to 1.5.1-1. # pacman -Syu "unbound>=1.5.1-1"
The problem has been fixed upstream in version 1.5.1.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602 https://nlnetlabs.nl/downloads/unbound/CVE-2014-8602.txt

Severity
Package : unbound
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE-2014

Workaround

A very simple workaround is to ignore the problem and let existing anti-DoS systems in unbound deal with the issue. It will consume a lot of resources, but other customers will (most likely) continue to get service. If affected, unbound-control flush_requestlist provides temporary relief, but the issue could resume (immediately). Putting the maliciously sent query in local-data, or using access-control to block the malicious query sending IP would workaround that exploit set-up. The config statement do-not-query-address: IPorNetblock can be used to block a specific authority server.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved