Hi there,
(The official announcement and more information can be found at:
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/)
DNSSEC protocol vulnerabilities have been discovered that render various
DNSSEC validators victims of Denial Of Service while trying to validate
specially crafted DNSSEC responses.
There are two known vulnerabilities: CVE-2023-50387 (referred here as
the KeyTrap vulnerability) and CVE-2023-50868 (referred here as the
NSEC3 vulnerability).
We are categorizing the vulnerabilities with a HIGH severity for
Unbound.
We are releasing 1.19.1 on the 13th of February including the relevant
fixes.
== Summary
Both vulnerabilities, via specially crafted DNSSEC answers, can lead
DNSSEC validators down a very CPU intensive and time costly
validation/NSEC3 hash calculation path.
This results in degraded performance and denial of service in trivially
orchestrated attacks.
Unbound 1.19.1 includes fixes for better performance under such DNSSEC
validation attacks.
== Affected products
Unbound up to and including 1.19.0.
== Solution
Install Unbound 1.19.1.
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
Apply the patch using:
patch -p1 < patch_CVE-2023-50387_CVE-2023-50868.diff
== Acknowledgments
We would like to thank Petr Špaček from ISC for discovering and
responsibly disclosing the NSEC3 vulnerability.
* This email is signed. Keys of the NLnet Labs people are published on
https://www.nlnetlabs.nl/people/ *
Best regards,
-- Yorgos