Debian dla-4280 : libunbound-dev - security update

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-4280. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(254407);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/24");

  script_cve_id(
    "CVE-2024-33655",
    "CVE-2024-43167",
    "CVE-2024-43168",
    "CVE-2025-5994"
  );

  script_name(english:"Debian dla-4280 : libunbound-dev - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-4280 advisory.

    -------------------------------------------------------------------------
    Debian LTS Advisory DLA-4280-1                [email protected]
    https://www.debian.org/lts/security/                       Guilhem Moulin
    August 24, 2025                               https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : unbound
    Version        : 1.13.1-1+deb11u5
    CVE ID         : CVE-2024-33655 CVE-2025-5994
    Debian Bug     : 1109427

    Vulnerabilities were found in unbound, a validating, recursive, and
    caching DNS resolver, which may lead to Denial of Service or cache
    poisoning.

    CVE-2024-33655

        The DNSBomb attack, via specially timed DNS queries and answers, can
        cause a Denial of Service on resolvers and spoofed targets.

        While Unbound itself is not vulnerable for DoS, it can be used to
        take part in a pulsing DoS amplification attack.

        Configuration options have been added to help mitigate the impact by
        trying to shrink the DNSBomb window so that the impact of the DoS
        from Unbound is significantly lower than it used to be:

          * discard-timeout: 1900
            After 1900 ms a reply to the client will be dropped.  Unbound
            would still work on the query but refrain from replying in order
            to not accumulate a huge number of old replies.  Legitimate
            clients retry on timeouts.

          * wait-limit: 1000
            Limits the amount of client queries that require recursion
            (cache-hits are not counted) per IP address.  More recursive
            queries than the allowed limit are dropped.
            wait-limit: 0 disables all wait limits.

          * wait-limit-netblock
            These do not have a default value but they can fine grain
            configuration for specific netblocks.

    CVE-2025-5994

        Resolvers supporting ECS need to segregate outgoing queries to
        accommodate for different outgoing ECS information.  This re-opens
        up resolvers to a birthday paradox attack (Rebirthday Attack) that
        tries to match the DNS transaction ID in order to cache non-ECS
        poisonous replies.

        Unbound now includes a fix that disregards replies that came back
        without ECS when ECS was expected.

    This update also includes follow-up upstream fixes and improvements for
    CVE-2024-43167 and CVE-2024-43168.

    For Debian 11 bullseye, these problems have been fixed in version
    1.13.1-1+deb11u5.

    We recommend that you upgrade your unbound packages.

    For the detailed security status of unbound please refer to
    its security tracker page at:
    https://security-tracker.debian.org/tracker/unbound

    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    Attachment:
    signature.asc
    Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/unbound");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-33655");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-43167");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-43168");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2025-5994");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/unbound");
  script_set_attribute(attribute:"solution", value:
"Upgrade the libunbound-dev packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_supplemental", value:"CVSS:4.0/R:U/V:C");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-5994");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-43168");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/08/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libunbound-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libunbound8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-unbound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:unbound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:unbound-anchor");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:unbound-host");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'libunbound-dev', 'reference': '1.13.1-1+deb11u5'},
    {'release': '11.0', 'prefix': 'libunbound8', 'reference': '1.13.1-1+deb11u5'},
    {'release': '11.0', 'prefix': 'python3-unbound', 'reference': '1.13.1-1+deb11u5'},
    {'release': '11.0', 'prefix': 'unbound', 'reference': '1.13.1-1+deb11u5'},
    {'release': '11.0', 'prefix': 'unbound-anchor', 'reference': '1.13.1-1+deb11u5'},
    {'release': '11.0', 'prefix': 'unbound-host', 'reference': '1.13.1-1+deb11u5'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libunbound-dev / libunbound8 / python3-unbound / unbound / etc');
}