[arch-security] [Arch Linux Security Advisory ASA-201412-8] unbound: denial of service

Remi Gacogne rgacogne at archlinux.org
Tue Dec 9 09:17:03 UTC 2014

Arch Linux Security Advisory ASA-201412-8

Severity: High
Date    : 2014-12-09
CVE-ID  : CVE-2014-8602
Package : unbound
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014


The package unbound before version 1.5.1-1 is vulnerable to denial of


Upgrade to 1.5.1-1.

# pacman -Syu "unbound>=1.5.1-1"

The problem has been fixed upstream in version 1.5.1.


A very simple workaround is to ignore the problem and let existing
anti-DoS systems in unbound deal with the issue.  It will consume a lot of
resources, but other customers will (most likely) continue to get service.

If affected, unbound-control flush_requestlist provides temporary relief,
but the issue could resume (immediately).  Putting the maliciously sent
query in local-data, or using access-control to block the malicious
query sending IP would workaround that exploit set-up.  The config
statement do-not-query-address: IPorNetblock can be used to block a
specific authority server.


The resolver can be tricked into following an endless series of
delegations, this consumes a lot of resources.

Resolvers fetch the content for domain names by sending queries to
authority servers on the internet.  One of the responses that authority
servers can return is a referral response, which points to further
servers to continue the lookup.  To continue the lookup, resolvers
may have to perform recursion, where new names, called glue, from the
referral response have to be looked up to continue the query resolution.

The issue here is a lack of limiting on the recursion fetches performed
to figure out a particular query.  The authority server is a special
set-up that responds with an infinite amount of glue.  This then causes
the resolver to spend a lot of resources diving into the infinite glue
looking up names, only find out it needs to look up even more names.


A remote attacker can trick unbound into consuming a lot of resources by
sending a specially crafted query.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141209/94992907/attachment.bin>

More information about the arch-security mailing list