Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-1931

Опубликовано: 07 мар. 2024
Источник: redhat
CVSS3: 5.9
EPSS Низкий

Описание

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

A vulnerability was found in Unbound. The issue arises due to a flaw in the handling of Extended DNS Error (EDE) records when the 'ede: yes' option is enabled, a non-default configuration. Specifically, an unchecked condition in the code can trigger an infinite loop when attempting to trim the text fields of EDE records to fit within the client's buffer size. This vulnerability could potentially lead to denial of service (DoS) as the infinite loop consumes system resources, impacting the availability of the Unbound DNS resolver.

Отчет

The vulnerability present in Unbound, while posing a risk of denial of service, is assessed as having a Moderate severity level from a technical perspective. The severity is primarily attributed to the potential for exploitation under specific conditions, namely when the 'ede: yes' option is enabled, which is not the default configuration. Additionally, the vulnerability manifests in a limited scenario where responses containing Extended DNS Error (EDE) records exceed the client's buffer size. While the issue can result in an infinite loop and consequent denial of service, its impact is constrained to situations where these specific conditions align. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform enforces hardening guidelines to ensure the most restrictive setting needed for operational requirements. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, enabling capabilities like excessive CPU usage, long execution times, or processes consuming abnormal amounts of memory. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing infinite loops caused by malformed or unexpected input, such as unbounded user input or unexpected null values that cause loops to never terminate. In the event of successful exploitation, process isolation limits the effect of an infinite loop to a single process rather than allowing it to consume all system resources.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6unboundOut of support scope
Red Hat Enterprise Linux 7unboundOut of support scope
Red Hat Enterprise Linux 8unboundNot affected
Red Hat Enterprise Linux 9unboundFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-835
https://bugzilla.redhat.com/show_bug.cgi?id=2268418unbound: Infinite loop due to improper EDE message size check

EPSS

Процентиль: 91%
0.06753
Низкий

5.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-1931

CVSS3: 7.5
ubuntu
больше 1 года назад

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

nvd логотип

CVE-2024-1931

CVSS3: 7.5
nvd
больше 1 года назад

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

debian логотип

CVE-2024-1931

CVSS3: 7.5
debian
больше 1 года назад

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 c ...

github логотип

GHSA-q63v-rwfp-q5p2

CVSS3: 7.5
github
больше 1 года назад

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

fstec логотип

BDU:2024-01923

CVSS3: 7.5
fstec
больше 1 года назад

Уязвимость DNS-сервера Unbound, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 91%
0.06753
Низкий

5.9 Medium

CVSS3