Security Audit of Unbound DNS Server

We at X41 have performed an audit on the unbound DNS server sponsored by the great folks at OSTIF. Most of the issues have already been addressed and Unbound 1.9.6 will be released, with fixes of all the findings of the audit that had a direct security impact. For immediate patching needs, all security issues found to have an impact are fixed in the recent HEAD commit of the Unbound repository.

The full report of the security audit can be downloaded here.

A writeup of the IPsec Module Command Injection and the Use After Free in EDNS parsing can be found on our blog.

Command Injection in Contributed Helper

The bash script contrib/create_unbound_ad_servers.sh does not properly sanitize the data retrieved by HTTP before it is written to a configuration file. This allows a malicious server to modify the configuration by including several statements on a single line.

Out of Bounds Memory Reads and Writes

Several out-of-bounds reads and writes have been identified in various locations in the source code which might cause memory corruptions, information leaks, or crashes. The full impact of all the issues was not investigated in the course of the audit.

Various Smaller Issues

Other issues such as writeable shared memory, bad randomness used in certain corner cases, and a race condition have also been identified as well throughout the code. These might be abused in certain setups but do not seem to pose a big risk to the users of Unbound. The same seems true for an eval() on untrusted input in one of the Python examples.

If you are interested in working with us on such projects in the future, ping us!

Author: Eric Sesterhenn
Date: December 11, 2019