Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <49ccdfbc-8518-4e9f-9e2a-b9837af147d1@oracle.com>
Date: Fri, 4 Oct 2024 14:17:44 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-8508 in Unbound DNS server prior to 1.21.1

https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt states:

> The CVE number for this vulnerability is CVE-2024-8508.
> 
> A vulnerability has been discovered in Unbound when handling replies
> with very large RRsets that Unbound needs to perform name compression
> for.
> 
> 
> == Summary
> Malicious upstreams responses with very large RRsets can cause Unbound
> to spend a considerable time applying name compression to downstream
> replies. This can lead to degraded performance and eventually denial of
> service in well orchestrated attacks.
> 
> Unbound 1.21.1 includes a fix to limit time spent on name compression.
> 
> 
> == Affected products
> Unbound up to and including 1.21.0.
> 
> 
> == Description
> The vulnerability can be exploited by a malicious actor querying Unbound
> for the specially crafted contents of a malicious zone with very large
> RRsets.
> Before Unbound replies to the query it will try to apply name
> compression which was an unbounded operation that could lock the CPU
> until the whole packet was complete.
> 
> Unbound version 1.21.1 introduces a hard limit on the number of name
> compression calculations it is willing to do per packet.
> Packets that need more compression will result in semi-compressed
> packets or truncated packets, even on TCP for huge messages, to avoid
> locking the CPU for long.
> 
> This change should not affect normal DNS traffic.
> 
> 
> == Solution
> Apply the attached patch using:
> 
>      patch -p1 < patch_CVE-2024-8508.diff
> 
> then run 'make install' to install Unbound.
> 
> The patch is tested to work on Unbound 1.21.0.
> 
> 
> == Acknowledgments
> We would like to thank Toshifumi Sakaguchi for discovering and
> responsibly disclosing the vulnerability.

The patch is available from
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.