ID CVE-2014-8602
Summary iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
References
Vulnerable Configurations
  • NLnet Labs Unbound 1.5.0
    cpe:2.3:a:nlnetlabs:unbound:1.5.0
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.10
    cpe:2.3:o:canonical:ubuntu_linux:14.10
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
CVSS
Base: 4.3 (as of 02-09-2016 - 20:51)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151119_UNBOUND_ON_SL7_X.NASL
    description A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. (CVE-2014-8602) This update also fixes the following bugs : - Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured. - Previously, the unbound packages were installing their configuration file for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a consequence, changes to unbound made by the administrator in /etc/tmpfiles.d/ could be overwritten on package reinstallation or update. To fix this bug, unbound has been amended to install the configuration file into the /usr/lib/tmpfiles.d/ directory. As a result, the system administrator's configuration in /etc/tmpfiles.d/ is preserved, including any changes, on package reinstallation or update. - The unbound server default configuration included validation of DNS records using the DNSSEC Look-aside Validation (DLV) registry. The Internet Systems Consortium (ISC) plans to deprecate the DLV registry service as no longer needed, and unbound could execute unnecessary steps. Therefore, the use of the DLV registry has been removed from the unbound server default configuration. Now, unbound does not try to perform DNS records validation using the DLV registry.
    last seen 2017-10-29
    modified 2015-12-22
    plugin id 87577
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87577
    title Scientific Linux Security Update : unbound on SL7.x x86_64
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15931.NASL
    description iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
    last seen 2017-10-29
    modified 2016-10-31
    plugin id 80231
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80231
    title F5 Networks BIG-IP : Unbound vulnerability (SOL15931)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3097.NASL
    description Florian Maury from ANSSI discovered that unbound, a validating, recursive, and caching DNS resolver, was prone to a denial of service vulnerability. An attacker crafting a malicious zone and able to emit (or make emit) queries to the server can trick the resolver into following an endless series of delegations, leading to resource exhaustion and huge network usage.
    last seen 2017-10-29
    modified 2016-05-05
    plugin id 79884
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79884
    title Debian DSA-3097-1 : unbound - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16671.NASL
    description Security fix for CVE-2014-8602 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 80142
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80142
    title Fedora 20 : unbound-1.5.1-2.fc20 (2014-16671)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2455.NASL
    description Updated unbound packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. (CVE-2014-8602) This update also fixes the following bugs : * Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured. (BZ#1180267) * Previously, the unbound packages were installing their configuration file for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a consequence, changes to unbound made by the administrator in /etc/tmpfiles.d/ could be overwritten on package reinstallation or update. To fix this bug, unbound has been amended to install the configuration file into the /usr/lib/tmpfiles.d/ directory. As a result, the system administrator's configuration in /etc/tmpfiles.d/ is preserved, including any changes, on package reinstallation or update. (BZ#1180995) * The unbound server default configuration included validation of DNS records using the DNSSEC Look-aside Validation (DLV) registry. The Internet Systems Consortium (ISC) plans to deprecate the DLV registry service as no longer needed, and unbound could execute unnecessary steps. Therefore, the use of the DLV registry has been removed from the unbound server default configuration. Now, unbound does not try to perform DNS records validation using the DLV registry. (BZ#1223339) All unbound users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 87159
    published 2015-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87159
    title CentOS 7 : unbound (CESA-2015:2455)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-800.NASL
    description This unbound update fixes the following secuirty issue. - boo#908990: following endless delegations (CVE-2014-8602)
    last seen 2017-10-29
    modified 2014-12-26
    plugin id 80246
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80246
    title openSUSE Security Update : unbound (openSUSE-SU-2014:1688-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_10D735297F4B11E4AF6600215AF774F0.NASL
    description Unbound developer reports : The resolver can be tricked into following an endless series of delegations, this consumes a lot of resources.
    last seen 2017-10-29
    modified 2016-08-10
    plugin id 79810
    published 2014-12-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79810
    title FreeBSD : unbound -- can be tricked into following an endless series of delegations, this consumes a lot of resources (10d73529-7f4b-11e4-af66-00215af774f0)
  • NASL family DNS
    NASL id UNBOUND_1_5_1.NASL
    description According to its self-reported version number, the remote Unbound DNS resolver is affected by a denial of service vulnerability in the Domain Name Service due to improper handling of a maliciously-constructed zone or queries from a rogue server. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause the service to issue unlimited queries in an attempt to follow a delegation, resulting in a denial of service condition.
    last seen 2017-10-29
    modified 2016-01-13
    plugin id 87870
    published 2016-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87870
    title Unbound < 1.5.1 Delegation Handling Recursive Referral Handling Resource Exhaustion DoS
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-107.NASL
    description Florian Maury from ANSSI discovered that unbound, a validating, recursive, and caching DNS resolver, was prone to a denial of service vulnerability. An attacker crafting a malicious zone and able to emit (or make emit) queries to the server can trick the resolver into following an endless series of delegations, leading to resource exhaustion and huge network usage. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-05
    plugin id 82091
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82091
    title Debian DLA-107-1 : unbound security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2455.NASL
    description From Red Hat Security Advisory 2015:2455 : Updated unbound packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. (CVE-2014-8602) This update also fixes the following bugs : * Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured. (BZ#1180267) * Previously, the unbound packages were installing their configuration file for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a consequence, changes to unbound made by the administrator in /etc/tmpfiles.d/ could be overwritten on package reinstallation or update. To fix this bug, unbound has been amended to install the configuration file into the /usr/lib/tmpfiles.d/ directory. As a result, the system administrator's configuration in /etc/tmpfiles.d/ is preserved, including any changes, on package reinstallation or update. (BZ#1180995) * The unbound server default configuration included validation of DNS records using the DNSSEC Look-aside Validation (DLV) registry. The Internet Systems Consortium (ISC) plans to deprecate the DLV registry service as no longer needed, and unbound could execute unnecessary steps. Therefore, the use of the DLV registry has been removed from the unbound server default configuration. Now, unbound does not try to perform DNS records validation using the DLV registry. (BZ#1223339) All unbound users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 87041
    published 2015-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87041
    title Oracle Linux 7 : unbound (ELSA-2015-2455)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2455.NASL
    description Updated unbound packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. (CVE-2014-8602) This update also fixes the following bugs : * Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured. (BZ#1180267) * Previously, the unbound packages were installing their configuration file for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a consequence, changes to unbound made by the administrator in /etc/tmpfiles.d/ could be overwritten on package reinstallation or update. To fix this bug, unbound has been amended to install the configuration file into the /usr/lib/tmpfiles.d/ directory. As a result, the system administrator's configuration in /etc/tmpfiles.d/ is preserved, including any changes, on package reinstallation or update. (BZ#1180995) * The unbound server default configuration included validation of DNS records using the DNSSEC Look-aside Validation (DLV) registry. The Internet Systems Consortium (ISC) plans to deprecate the DLV registry service as no longer needed, and unbound could execute unnecessary steps. Therefore, the use of the DLV registry has been removed from the unbound server default configuration. Now, unbound does not try to perform DNS records validation using the DLV registry. (BZ#1223339) All unbound users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 86991
    published 2015-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86991
    title RHEL 7 : unbound (RHSA-2015:2455)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16647.NASL
    description Security fix for CVE-2014-8602 new release fix build on aarch64 new upstream version Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 80140
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80140
    title Fedora 21 : unbound-1.5.1-2.fc21 (2014-16647)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2484-1.NASL
    description Florian Maury discovered that Unbound incorrectly handled delegation. A remote attacker could possibly use this issue to cause Unbound to consume resources, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-24
    plugin id 81019
    published 2015-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81019
    title Ubuntu 14.04 LTS / 14.10 : unbound vulnerability (USN-2484-1)
redhat via4
advisories
bugzilla
id 1180995
title unbound is installing files under /etc/tmpfiles.d/
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment unbound is earlier than 0:1.4.20-26.el7
        oval oval:com.redhat.rhsa:tst:20152455007
      • comment unbound is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20152455008
    • AND
      • comment unbound-devel is earlier than 0:1.4.20-26.el7
        oval oval:com.redhat.rhsa:tst:20152455005
      • comment unbound-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20152455006
    • AND
      • comment unbound-libs is earlier than 0:1.4.20-26.el7
        oval oval:com.redhat.rhsa:tst:20152455011
      • comment unbound-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20152455012
    • AND
      • comment unbound-python is earlier than 0:1.4.20-26.el7
        oval oval:com.redhat.rhsa:tst:20152455009
      • comment unbound-python is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20152455010
rhsa
id RHSA-2015:2455
released 2015-08-14
severity Low
title RHSA-2015:2455: unbound security and bug fix update (Low)
rpms
  • unbound-0:1.4.20-26.el7
  • unbound-devel-0:1.4.20-26.el7
  • unbound-libs-0:1.4.20-26.el7
  • unbound-python-0:1.4.20-26.el7
refmap via4
bid 71589
cert-vn VU#264212
confirm
debian DSA-3097
misc
ubuntu USN-2484-1
Last major update 28-11-2016 - 14:13
Published 10-12-2014 - 21:59
Back to Top