Opened 7 months ago
Closed 7 months ago
#21862 closed enhancement (fixed)
unbound-1.23.1
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (3)
comment:1 by , 7 months ago
| Owner: | changed from to |
|---|---|
| Priority: | normal → elevated |
| Status: | new → assigned |
comment:2 by , 7 months ago
Release notes:
Bug Fixes Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University.
Information on the attack:
Cache poisoning via the ECS-enabled Rebirthday Attack Date: 2025-07-16 CVE: CVE-2025-5994 Credit: Xiang Li (AOSP Lab, Nankai University) Affects: Unbound 1.6.2 up to and including version 1.23.0 compiled and configured for ECS support Not affected: Other versions or all non-ECS enabled versions Severity: High (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C) Impact: Cache poisoning Solution: Download patched version of Unbound, or apply the patch manually A multi-vendor cache poisoning vulnerability named "Rebirthday Attack" has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., --enable-subnet, AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the send-client-subnet, client-subnet-zone or client-subnet-always-forward options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies. A malicious actor can then exploit the Rebirthday Attack in two steps. First, send queries to Unbound that would result in segregated ECS outbound traffic from Unbound for a single domain. Second, send non-ECS poisonous replies to Unbound trying to guess the DNS transaction ID before the real answer from the upstream name server arrives. Unbound version 1.23.1 includes a fix that disregards replies that came back without ECS when ECS was expected. Instead it creates a non-ECS sub query, that could be aggregated with other such queries, to explicitly query for the non-ECS authoritative answer. The re-introduced query aggregation then defeats the Rebirthday Attack. Unbound 1.23.1 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on the Unbound source directory with patch -p1 < patch_CVE-2025-5994_2.diff and then run make install to install Unbound.
comment:3 by , 7 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at ff13ca3a087bb0eb85d8dcef509483e80a8afb72
SA-12.3-075 issued
Note:
See TracTickets
for help on using tickets.
Contains a fix for CVE-2025-5994.