Maintained by: NLnet Labs

[Unbound-users] VU#209659 CVE-2011-4528: Unbound denial of service vulnerabilities from nonstandard redirection and denial of existence

Florian Weimer
Thu Dec 22 19:47:47 CET 2011


* Florian Weimer:

> * W. C. A. Wijngaards:
>
>> Subject: Unbound denial of service vulnerabilities from nonstandard
>> redirection and denial of existence [ VU#209659 CVE-2011-4528 ]
>
>> These two problems were discovered within 24 hours, hence a combined
>> vulnerability disclosure.
>
> I believe that CVE-2011-4528 only applies to this issue:

I should have mentioned my opinion is based on CD:SF-LOC item 2:

<http://cve.mitre.org/cve/editorial_policies/cd_overview.html>

>> == Description 1: crash on signed duplicate Resource Records
>
> For the other issue, no CVE identifier has been assigned yet, it
> appears.

I've noticed that CVE-2011-4869 has been assigned to the second issue:

| validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly
| perform proof processing for NSEC3-signed zones, which allows remote
| DNS servers to cause a denial of service (daemon crash) via a
| malformed response that lacks expected NSEC3 records, a different
| vulnerability than CVE-2011-4528.

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4869>

Thanks for providing minimal patches, this helps a lot!