Bug 1202031 (CVE-2022-30699)

Summary:	VUL-0: CVE-2022-30699: unbound: Novel "ghost domain names" attack by updating almost expired delegation information
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Robert Frohl <rfrohl>
Component:	Incidents	Assignee:	Stefano Torresi <stefano.torresi>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	gabriele.sonnu, rtorreromarijnissen, stefano.torresi, stoyan.manolov, thomas.leroy
Version:	unspecified	Flags:	stoyan.manolov: needinfo? (rtorreromarijnissen)
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/338557/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-30699:5.6:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Robert Frohl 2022-08-01 13:59:27 UTC

Novel "ghost domain names" attack by updating almost expired delegation information

Date:	2022-08-01
CVE:	CVE-2022-30699
Credit:	Xiang Li (Network and Information Security Lab, Tsinghua University)
Affects:	Unbound up to and including version 1.16.1
Not affected:	Other versions
Severity:	Medium
Impact:	Remote attackers can trigger continued resolvability of revoked domain names
Solution:	Download patched version of Unbound, or apply the patch manually

NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.

Unbound 1.16.2 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on the Unbound source directory with patch -p1 < patch_CVE-2022-30698_CVE-2022-30699.diff and then run make install to install Unbound.

This is a shared patch with CVE-2022-30698 below

Comment 1 Robert Frohl 2022-08-01 14:01:25 UTC

https://nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt
https://nlnetlabs.nl/projects/unbound/security-advisories/

Comment 2 OBSbugzilla Bot 2022-08-01 16:40:08 UTC

This is an autogenerated message for OBS integration:
This bug (1202031) was mentioned in
https://build.opensuse.org/request/show/992044 Factory / unbound