Amazon Linux 2 : unbound, --advisory ALAS2-2026-3322 (ALAS-2026-3322)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2026-3322.
##

include('compat.inc');

if (description)
{
  script_id(319844);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/08");

  script_cve_id(
    "CVE-2026-33278",
    "CVE-2026-41292",
    "CVE-2026-42534",
    "CVE-2026-42923",
    "CVE-2026-42959",
    "CVE-2026-42960",
    "CVE-2026-44390"
  );

  script_name(english:"Amazon Linux 2 : unbound, --advisory ALAS2-2026-3322 (ALAS-2026-3322)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of unbound installed on the remote host is prior to 1.7.3-15. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2026-3322 advisory.

    NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator
    that enables denial of service and possible remote code execution as a result of deep copying a data
    structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by
    controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend
    validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-
    copies response messages to preserve them across memory region teardown. A struct-assignment bug
    overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the
    resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary
    code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep
    copying the data structure. (CVE-2026-33278)

    NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack
    related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS
    options can hold Unbound threads hostage while they are parsing and creating internal data structures for
    the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1
    contains a patch with a fix to limit acceptable incoming EDNS options (100). (CVE-2026-41292)

    NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could
    defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age
    of slow running queries and not allow the jostle logic to see them as aged and potential targets for
    replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain
    name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and
    degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit,
    the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to
    resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need
    resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the
    original one that started the resolution effort. Cache and local data response performance remains
    unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1
    contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow
    the jostle logic to work as intended. (CVE-2026-42534)

    NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where
    the code path to consult the negative cache for DS records does not take into account the limit on NSEC3
    hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An
    adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably
    high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the
    allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in
    1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the
    hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise
    the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable
    code path with the existing limit for NSEC3 hash calculations. (CVE-2026-42923)

    NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC
    validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply
    messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section
    rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease
    the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator
    later dereferences this uninitialized pointer, causing an immediate process crash. An adversary
    controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain
    with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue
    records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write
    offsets. (CVE-2026-42959)

    NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records
    for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be
    used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply
    (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor
    can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by
    address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or
    fragmentation attacks. Unbound would then accept the relative address records in the additional section
    and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the
    delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the
    additional section if they are not explicitly relevant only to authority NS records, mitigating the
    possible poison effect. This is a complement fix to CVE-2025-11411. (CVE-2026-42960)

    NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very
    large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very
    large RRsets with records that don't share a suffix above the root can cause Unbound to spend a
    considerable time applying name compression to downstream replies. This can lead to degraded performance
    and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability
    by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before
    Unbound replies to the query it will try to apply name compression which was an unbounded operation that
    could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for
    this but it didn't account for the case where records would not share any suffix above the root. That
    causes Unbound to go in a different code path because of the compression tree lookup failure and
    eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch
    with a fix that increments the compression counter regardless of the compression tree lookup. This is a
    complement fix to CVE-2024-8508. (CVE-2026-44390)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2026-3322.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-33278.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-41292.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-42534.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-42923.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-42959.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-42960.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-44390.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update unbound' or
  or 'yum update --advisory ALAS2-2026-3322' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33278");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-42960");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python2-unbound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3-unbound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:unbound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:unbound-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:unbound-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:unbound-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'python2-unbound-1.7.3-15.amzn2.0.14', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python2-unbound-1.7.3-15.amzn2.0.14', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python2-unbound-1.7.3-15.amzn2.0.14', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3-unbound-1.7.3-15.amzn2.0.14', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3-unbound-1.7.3-15.amzn2.0.14', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3-unbound-1.7.3-15.amzn2.0.14', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-1.7.3-15.amzn2.0.14', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-1.7.3-15.amzn2.0.14', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-1.7.3-15.amzn2.0.14', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-debuginfo-1.7.3-15.amzn2.0.14', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-debuginfo-1.7.3-15.amzn2.0.14', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-debuginfo-1.7.3-15.amzn2.0.14', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-devel-1.7.3-15.amzn2.0.14', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-devel-1.7.3-15.amzn2.0.14', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-devel-1.7.3-15.amzn2.0.14', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-libs-1.7.3-15.amzn2.0.14', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-libs-1.7.3-15.amzn2.0.14', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'unbound-libs-1.7.3-15.amzn2.0.14', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python2-unbound / python3-unbound / unbound / etc");
}