#12786 closed enhancement (fixed)

unbound-1.9.5 (CVE-2019-18934)

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Hi,

Below is a copy of Unbound's CVE description that can be found at
https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt

Regards,
Ralph

==

The CVE number for this vulnerability is CVE-2019-18934

== Summary
Recent versions of Unbound contain a vulnerability that can cause shell
code execution after receiving a specially crafted answer. This issue
can only be triggered if unbound was compiled with `--enable-ipsecmod`
support, and ipsecmod is enabled and used in the configuration.

== Affected products
Unbound 1.6.4 up to and including 1.9.4.

== Description
Due to unsanitized characters passed to the ipsecmod-hook shell command,
it is possible for Unbound to allow shell code execution from a
specially crafted IPSECKEY answer.

This issue can only be triggered when *all* of the below conditions are met:
* unbound was compiled with `--enable-ipsecmod` support, and
* ipsecmod is enabled and used in the configuration (either in the
  configuration file or using `unbound-control`), and
* a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is
  used), and
* unbound receives an A/AAAA query for a domain that has an A/AAAA
  record(s) *and* an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the
gateway field of the IPSECKEY (when gateway type == 3) contain a
specially crafted domain name.

== Solution
Download patched version of Unbound, or apply the patch manually.

+ Downloading patched version
Unbound 1.9.5 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz

+ Applying the Patch manually
For Unbound 1.6.4 up to and including 1.9.4 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-18934.diff

Apply the patch on the Unbound source directory with:
'patch -p1 < patch_cve_2019-18934.diff'
then run 'make install' to install Unbound.

== Acknowledgments
We would like to thank X41 D-Sec for notifying us about this
vulnerability and OSTIF for sponsoring the Unbound security audit.

Change History (3)

comment:1 by Bruce Dubbs, 20 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 20 months ago

Summary: unbound-1.9.4 (CVE-2019-18934)unbound-1.9.5 (CVE-2019-18934)

New version is 1.9.5.

comment:3 by Bruce Dubbs, 20 months ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 22395.

Note: See TracTickets for help on using tickets.