Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <49ccdfbc-8518-4e9f-9e2a-b9837af147d1@oracle.com>
Date: Fri, 4 Oct 2024 14:17:44 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-8508 in Unbound DNS server prior to 1.21.1

https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt states:

> The CVE number for this vulnerability is CVE-2024-8508.
> 
> A vulnerability has been discovered in Unbound when handling replies
> with very large RRsets that Unbound needs to perform name compression
> for.
> 
> 
> == Summary
> Malicious upstreams responses with very large RRsets can cause Unbound
> to spend a considerable time applying name compression to downstream
> replies. This can lead to degraded performance and eventually denial of
> service in well orchestrated attacks.
> 
> Unbound 1.21.1 includes a fix to limit time spent on name compression.
> 
> 
> == Affected products
> Unbound up to and including 1.21.0.
> 
> 
> == Description
> The vulnerability can be exploited by a malicious actor querying Unbound
> for the specially crafted contents of a malicious zone with very large
> RRsets.
> Before Unbound replies to the query it will try to apply name
> compression which was an unbounded operation that could lock the CPU
> until the whole packet was complete.
> 
> Unbound version 1.21.1 introduces a hard limit on the number of name
> compression calculations it is willing to do per packet.
> Packets that need more compression will result in semi-compressed
> packets or truncated packets, even on TCP for huge messages, to avoid
> locking the CPU for long.
> 
> This change should not affect normal DNS traffic.
> 
> 
> == Solution
> Apply the attached patch using:
> 
>      patch -p1 < patch_CVE-2024-8508.diff
> 
> then run 'make install' to install Unbound.
> 
> The patch is tested to work on Unbound 1.21.0.
> 
> 
> == Acknowledgments
> We would like to thank Toshifumi Sakaguchi for discovering and
> responsibly disclosing the vulnerability.

The patch is available from
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.