Security Audit of Unbound DNS Server in Progress
While X41 is still auditing, first results of are already making their way into the unbound codebase thanks to the diligent developers at NLNetLabs.
IPSECMOD - Command Injection
Today, another issue was resolved in unbound, that could lead to remote code execution in case the ipsecmod module was enabled. Eric Sesterhenn noticed a shell injection vulnerability when the ipsecmod helper tool was executed via
This shell injection can be easily triggered by a malicious DNS response packet. The unbound project already released an update for this issue and all users are encouraged to update to version 1.9.5. This issue is tracked via CVE-2019-18934
EDNS PARSING - Use After Free
worker_handle_request() in file ‘daemon/worker.c’ does the high level parsing of incoming DNS requests. While extracting EDNS information from the incoming packet, it will call
parse_edns_from_pkt() with a pointer to the stack allocated struct
edns where EDNS data will be stored, if present.
edns is not initialized after declaration in
When the input packet has no valid EDNS data, some error paths in
parse_edns_from_pkt(), still do not initialize
edns, and let
worker_handle_request() continue processing the request.
Just after calling
parse_edns_from_pkt(), EDNS processing branches will be executed if
edns is still not initialized and contains whatever data was present in the stack when it was declared. This effectively means
edns.edns_present can be
true even when the request contained no valid EDNS data.
If you are interested in working with us on such projects in the future, ping us!