We at X41 have performed an audit on the unbound DNS server sponsored by the great folks at OSTIF. Most of the issues have already been addressed and Unbound 1.9.6 will be released, with fixes of all the findings of the audit that had a direct security impact. For immediate patching needs, all security issues found to have an impact are fixed in the recent HEAD commit of the Unbound repository.
The full report of the security audit can be downloaded here.
A writeup of the IPsec Module Command Injection and the Use After Free in EDNS parsing can be found on our blog.
The bash script
not properly sanitize the data retrieved by HTTP before it is written to a configuration
file. This allows a malicious server to modify the configuration by including several statements
on a single line.
Several out-of-bounds reads and writes have been identified in various locations in the source code which might cause memory corruptions, information leaks, or crashes. The full impact of all the issues was not investigated in the course of the audit.
Other issues such as writeable shared memory, bad randomness used in certain
corner cases, and a race condition have also been identified as well throughout the
code. These might be abused in certain setups but do not seem to pose a big
risk to the users of Unbound. The same seems true for an
eval() on untrusted
input in one of the Python examples.
If you are interested in working with us on such projects in the future, ping us!