Bugzilla – Bug 1202033
VUL-0: CVE-2022-30698: unbound: Novel "ghost domain names" attack by introducing subdomain delegations
Last modified: 2022-11-10 12:05:19 UTC
Novel "ghost domain names" attack by introducing subdomain delegations
Credit: Xiang Li (Network and Information Security Lab, Tsinghua University)
Affects: Unbound up to and including version 1.16.1
Not affected: Other versions
Impact: Remote attackers can trigger continued resolvability of revoked domain names
Solution: Download patched version of Unbound, or apply the patch manually
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.
Unbound 1.16.2 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on the Unbound source directory with patch -p1 < patch_CVE-2022-30698_CVE-2022-30699.diff and then run make install to install Unbound.
This is a shared patch with CVE-2022-30699 above
This is an autogenerated message for OBS integration:
This bug (1202033) was mentioned in
https://build.opensuse.org/request/show/992044 Factory / unbound