CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.9%
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
Security Fix(es):
bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)
bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)
Security Fix(es):
To mitigate the vulnerability, a new file
“/etc/unbound/conf.d/remote-control.conf” has been added and included in the
main unbound configuration file, “unbound.conf”. The file contains two
directives that should limit access to unbound.conf:
control-interface: "/run/unbound/control"
control-use-cert: "yes"
For details about these directives, run “man unbound.conf”.
Updating to the version of unbound provided by this advisory should, in most
cases, address the vulnerability. To verify that your configuration is not
vulnerable, use the “unbound-control status | grep control” command. If the
output contains “control(ssl)” or “control(namedpipe)”, your configuration is
not vulnerable. If the command output returns only “control”, the configuration
is vulnerable because it does not enforce access only to the unbound group
members. To fix your configuration, add the line “include:
/etc/unbound/conf.d/remote-control.conf” to the end of the file
“/etc/unbound/unbound.conf”. If you use a custom
“/etc/unbound/conf.d/remote-control.conf” file, add the new directives to this
file. (CVE-2024-1488)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 8 | ppc64le | unbound-devel | < 1.7.3-17.el8_6.4 | unbound-devel-1.7.3-17.el8_6.4.ppc64le.rpm |
RedHat | 8 | x86_64 | unbound | < 1.7.3-17.el8_6.4 | unbound-1.7.3-17.el8_6.4.x86_64.rpm |
RedHat | 8 | aarch64 | unbound | < 1.7.3-17.el8_6.4 | unbound-1.7.3-17.el8_6.4.aarch64.rpm |
RedHat | 8 | s390x | unbound-libs | < 1.7.3-17.el8_6.4 | unbound-libs-1.7.3-17.el8_6.4.s390x.rpm |
RedHat | 8 | i686 | python3-unbound-debuginfo | < 1.7.3-17.el8_6.4 | python3-unbound-debuginfo-1.7.3-17.el8_6.4.i686.rpm |
RedHat | 8 | x86_64 | python3-unbound | < 1.7.3-17.el8_6.4 | python3-unbound-1.7.3-17.el8_6.4.x86_64.rpm |
RedHat | 8 | s390x | unbound-devel | < 1.7.3-17.el8_6.4 | unbound-devel-1.7.3-17.el8_6.4.s390x.rpm |
RedHat | 8 | x86_64 | python3-unbound-debuginfo | < 1.7.3-17.el8_6.4 | python3-unbound-debuginfo-1.7.3-17.el8_6.4.x86_64.rpm |
RedHat | 8 | i686 | unbound-libs | < 1.7.3-17.el8_6.4 | unbound-libs-1.7.3-17.el8_6.4.i686.rpm |
RedHat | 8 | i686 | unbound-devel | < 1.7.3-17.el8_6.4 | unbound-devel-1.7.3-17.el8_6.4.i686.rpm |