Описание
Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule.
Отчет
This issue has been classified as having low security impact because:
- per default, unbound is not configured to listen on a public interface
- per default, the ACL is limited to localhost, so even if listening to a public interface, the crash cannot happen per default It mostly affects people running unbound as a "public" DNS resolver. Using such configurations, unbound has no valuable secrets that could be obtained by a successful attack, so at best the server crashes and restarts, resulting in an empty DNS cache. Sustained sending of packets would result in a DoS though.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | unbound | Not affected | ||
| Red Hat Enterprise Linux 7 | unbound | Not affected | ||
| Red Hat Enterprise Linux 8 | unbound | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule.
Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule.
Unbound before 1.9.4 accesses uninitialized memory, which allows remot ...
Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule.
Уязвимость DNS-сервера Unbound, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании
5.3 Medium
CVSS3