Описание
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with --enable-ipsecmod support, and ipsecmod is enabled and used in the configuration.
A shell command injection vulnerability was discovered in the way unbound handles DNS queries for systems with a public key used for IPsec. When ipsecmod is enabled, a malicious DNS server could send a DNS reply which would be used during a following DNS query to execute shell commands with the privileges of the unbound process. The same attack could be performed by an attacker who can modify data transmitted over the network, before it reaches the unbound server, if DNSSEC is not used.
Отчет
The versions of unbound as shipped in Red Hat Enterprise Linux 7 and 8 have ipsecmod disabled by default, even though it could be activated through the unbound-control command, it would only be executable by high-privilege users. Moreover, the username option is enabled, reducing the impact of a successful attack, and DNSSEC is used by default, preventing an attacker from modifying DNS packets on the wire. Finally, the default SELinux policies prevent unbound from running any shell command.
Меры по смягчению последствий
- Do not enable ipsecmod in the unbound.conf configuration file nor via unbound-control, if DNSSEC based Opportunistic IPsec is not used.
- Use the
usernameoption in unbound.conf to make unbound drop privileges and reduce the impact of a successful attack. - Enable SELinux to prevent unbound from executing shell commands, apart from the expected one specified in the
ipsecmod-hookoption.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | unbound | Not affected | ||
| Red Hat Enterprise Linux 7 | unbound | Will not fix | ||
| Red Hat Enterprise Linux 8 | unbound | Fixed | RHSA-2020:1716 | 28.04.2020 |
Показывать по
Дополнительная информация
Статус:
5.6 Medium
CVSS3
Связанные уязвимости
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec modul ...
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
5.6 Medium
CVSS3