UNBOUND

We take security very seriously. If you have found a security issue in Unbound, please contact us and we will reply within 24 hours. Please allow us a reasonable timeframe to formulate a response and do not send security issues to public lists. If desired, we will fully credit the reporter.

If a flaw is found we intend to provide security patches, for free, to the general public. In addition, we strive to be transparent about the nature, cause and impact of security flaws. Since the announcement of a security flaw may trigger the creation of exploits, we strive to balance transparency about flaws with the impact exploits might have on the Internet and its users.

We will follow specific internal guidelines, though circumstances may force us to not apply this policy in full. End of support for the software by NLnet Labs will be publicly announced two years in advance. All security vulnerabilities will be identified with a dedicated CERT vulnerability tracking numbers.

In general, the security patches are distributed according to the following priority:

  1. Customers with a Gold support contract and the party that reported the vulnerability, under non-disclosure
  2. Special Interest groups, under non-disclosure. These are entities that operate Unbound in an environment that is critical to the general public, as well as known Open Source platform Operating System maintainers
  3. Customers with a Silver support contract, under non-disclosure
  4. Customers with a Bronze support contract, under non-disclosure
  5. The general public

With regards to these five groups, we will take the following considerations:

  • The time scale on which publish/distribute security patches differently depending on the nature of the security issue. If the issue is widely known or exploited at the moment we have developed a patch (zero day) we intend to release the patch as soon as possible to the widest audience possible, which collapses stages 1 through 5 above to the order of days.
  • If the issue is not yet public, we intend to release security patches to the general public on a short timescale, in the order of weeks.
  • If we cannot find a fix for the security vulnerability, we obviously cannot provide code and may seek assistance. In order to prevent zero-day exploits information about (the existence of) these types of vulnerabilities may only be shared under non-disclosure with category 1, and if circumstances dictate with category 2.
  • We provide patches for the latest released software version i.e. the latest major, minor, patch level release.
  • In general, we provide support for the previous major release for one year after its deprecation. We therefore also provide security patches for major releases from one year past. A major release is the increment in the first version number.

Please keep in mind that Unbound is made available under the BSD license and comes with ABSOLUTELY NO WARRANTY.


Vulnerability in the processing of wildcard synthesized NSEC records

Date:2018-01-23
CVE:CVE-2017-15105
Credit:Ralph Dolmans (NLnet Labs), Karst Koymans (University of Amsterdam)
Affects:Unbound 1.6.7 and earlier versions
Not affected:Other versions
Severity:Medium
Impact:The wildcard NSEC record can be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record.
Solution:Download patched version of Unbound, or apply the patch manually.

We discovered a vulnerability in the processing of wildcard synthesized NSEC records. While synthesis of NSEC records is allowed by RFC4592, these synthesized owner names should not be used in the NSEC processing. This does, however, happen in Unbound 1.6.7 and earlier versions.

Unbound 1.6.8 contains a patch. If you cannot upgrade you can also apply the patch manually. To do this, apply the patch on Unbound source directory with patch -p0 < filename, then run make install to install Unbound.

A special thanks goes out to Karst Koymans (University of Amsterdam) for sparking the discovery of this vulnerability by Ralph Dolmans (NLnet Labs).


Ghost domain names attack

Date:2012-02-17
CVE:CVE-2012-1192
Credit:ISC
Affects:Unbound 1.4.11 and earlier versions
Not affected:Other versions
Severity:Medium
Impact:Remote attackers can trigger continued resolvability of revoked domain names
Solution:Upgrade to a newer version of Unbound

The resolver in Unbound before 1.4.11 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. To resolve this issue, upgrade to a newer version of Unbound.


Incorrect proof processing for NSEC3-signed zone

Date:2011-12-20
CVE:CVE-2011-4869
Affects:Unbound 1.4.13p2 and earlier versions
Not affected:Other versions
Severity:Medium
Impact:Denial of service (daemon crash)
Exploit:DNS servers can send a malformed response that lacks expected NSEC3 records
Solution:Upgrade to a newer version of Unbound

validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly perform proof processing for NSEC3-signed zones, which allows remote DNS servers to cause a denial of service (daemon crash) via a malformed response that lacks expected NSEC3 records, a different vulnerability than CVE-2011-4528.

Unbound 1.4.14 contains a patch, but 1.4.14rc1 is vulnerable. If you cannot upgrade you can also apply a patch. For unbound version 1.4.0 - 1.4.13, apply this patch and for version 1.0.1 - 1.3.4 use this patch. To do this, apply the patch on Unbound source directory with patch -p0 < filename, then run make install to install Unbound.


Processing of duplicate CNAME records in a signed zone

Date:2011-12-20
CVE:CVE-2011-4528
Affects:Unbound 1.4.13p2 and earlier versions
Not affected:Other versions
Severity:Medium
Impact:Denial of service (daemon crash)
Exploit:Remotely send a crafted response
Solution:Upgrade to a newer version of Unbound

Unbound crashes when confronted with a non-standard response from a server for a domain. This domain produces duplicate RRs from a certain type and is DNSSEC signed. Unbound also crashes when confronted with a query that eventually, and under specific circumstances, resolves to a domain that misses expected NSEC3 records.

Unbound 1.4.14 contains a patch, but 1.4.14rc1 is vulnerable. If you cannot upgrade you can also apply a patch. For unbound version 1.4.0 - 1.4.13, apply this patch and for version 1.0.1 - 1.3.4 use this patch. To do this, apply the patch on Unbound source directory with patch -p0 < filename, then run make install to install Unbound.