NEWS
Security Audit of Unbound DNS Server in Progress
We at X41 are currently performing an audit of the unbound DNS server thanks to the great folks at OSTIF who kindly sponsor our work.
While X41 is still auditing, first results of are already making their way into the unbound codebase thanks to the diligent developers at NLNetLabs.
IPSECMOD - Command Injection
Today, another issue was resolved in unbound, that could lead to remote code execution in case the ipsecmod module was enabled. Eric Sesterhenn noticed a shell injection vulnerability when the ipsecmod helper tool was executed via system()
.
This shell injection can be easily triggered by a malicious DNS response packet. The unbound project already released an update for this issue and all users are encouraged to update to version 1.9.5. This issue is tracked via CVE-2019-18934
EDNS PARSING - Use After Free
The first issue that triggered a patch was a vulnerability in parsing NOTIFY queries found by Luis Merino. This issue is tracked by CVE-2019-16866 and is about the re-use of unitialized heap memory.
The function worker_handle_request()
in file ‘daemon/worker.c’ does the high level parsing of incoming DNS requests. While extracting EDNS information from the incoming packet, it will call parse_edns_from_pkt()
with a pointer to the stack allocated struct edns
where EDNS data will be stored, if present.
The variable edns
is not initialized after declaration in worker_handle_request()
.
When the input packet has no valid EDNS data, some error paths in parse_edns_from_pkt()
, still do not initialize edns
, and let worker_handle_request()
continue processing the request.
Just after calling parse_edns_from_pkt()
, EDNS processing branches will be executed if edns.edns_present
is true
but edns
is still not initialized and contains whatever data was present in the stack when it was declared. This effectively means edns.edns_present
can be true
even when the request contained no valid EDNS data.
If you are interested in working with us on such projects in the future, ping us!