Bug 1202033 - (CVE-2022-30698) VUL-0: CVE-2022-30698: unbound: Novel "ghost domain names" attack by introducing subdomain delegations
(CVE-2022-30698)
VUL-0: CVE-2022-30698: unbound: Novel "ghost domain names" attack by introduc...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Stefano Torresi
Security Team bot
https://smash.suse.de/issue/338559/
CVSSv3.1:SUSE:CVE-2022-30698:5.6:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-01 14:01 UTC by Robert Frohl
Modified: 2022-11-10 12:05 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
thomas.leroy: needinfo? (rtorreromarijnissen)
stoyan.manolov: needinfo? (stefano.torresi)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-08-01 14:01:18 UTC
Novel "ghost domain names" attack by introducing subdomain delegations

Date:	2022-08-01
CVE:	CVE-2022-30698
Credit:	Xiang Li (Network and Information Security Lab, Tsinghua University)
Affects:	Unbound up to and including version 1.16.1
Not affected:	Other versions
Severity:	Medium
Impact:	Remote attackers can trigger continued resolvability of revoked domain names
Solution:	Download patched version of Unbound, or apply the patch manually

NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.

Unbound 1.16.2 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on the Unbound source directory with patch -p1 < patch_CVE-2022-30698_CVE-2022-30699.diff and then run make install to install Unbound.

This is a shared patch with CVE-2022-30699 above

https://nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt
https://nlnetlabs.nl/projects/unbound/security-advisories/
Comment 1 OBSbugzilla Bot 2022-08-01 16:40:09 UTC
This is an autogenerated message for OBS integration:
This bug (1202033) was mentioned in
https://build.opensuse.org/request/show/992044 Factory / unbound