131 lines
4.8 KiB
Text
131 lines
4.8 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-14:30.unbound Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: unbound remote denial of service vulnerability
|
|
|
|
Category: contrib
|
|
Module: unbound
|
|
Announced: 2014-12-17
|
|
Affects: FreeBSD 10.0-RELEASE and later
|
|
Credits: Florian Maury (ANSSI)
|
|
Corrected: 2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE)
|
|
2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2)
|
|
2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14)
|
|
CVE Name: CVE-2014-8602
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
Unbound is a validating, recursive, and caching DNS resolver.
|
|
|
|
II. Problem Description
|
|
|
|
By causing queries to be made against a maliciously-constructed zone or
|
|
against a malicious DNS server, an attacker who is able to cause
|
|
specific queries to be sent to a nameserver can trick unbound(8) resolver
|
|
into following an endless series of delegations, which consumes a lot of
|
|
resources.
|
|
|
|
III. Impact
|
|
|
|
Unbound will spend a lot of resources on this query, and this will impact
|
|
unbound's CPU and network resources. Unbound may therefore lose some
|
|
ability or timelines for the service of customer queries (a denial of
|
|
service). Unbound will continue to respond normally for cached queries.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but hosts not running unbound(8) are not
|
|
vulnerable.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 10.x]
|
|
# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc
|
|
# gpg --verify unbound.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the unbound(8) daemons, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r275853
|
|
releng/10.0/ r275854
|
|
releng/10.1/ r275854
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://unbound.net/downloads/CVE-2014-8602.txt>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-14:30.unbound.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY
|
|
GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4
|
|
oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am
|
|
lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM
|
|
aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK
|
|
sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU
|
|
ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX
|
|
8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO
|
|
WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+
|
|
3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6
|
|
z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/
|
|
9PFQzCA+8snPiCyUhAaC
|
|
=fkvr
|
|
-----END PGP SIGNATURE-----
|