From nobody Thu Mar 28 07:51:02 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V4whQ2nMHz5GQWY for ; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V4whQ0kzqz4mPl; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=KS7mQ8lwDRVApVO00PZbRUuDGMOdSQGQkJ+suv8P9IxHq7PS3FApj6NGfU5VSYk128oBk2 4pGmETxDNv5KBavUASX/FHlkydTe8i2TnBaulk97c4fQ3eykXkaUW0DIFUnIAcGvfcddsr PycTfv5pdoBfnEk9WE/ATWAxg6hzofZhyBHSfV33wapfOBeKdjJ4h+vU3dbwotpSHCkCoz xNh9Qy8Sgw9srrsHEzv65g05jniea9qpobHinghqxCzNNlzoo5c/VUzivghxBazc+Hrvqg HuxhgULC3vs4t8vSZBw517eyrYBXNIRGy/tDAGFyp318bOGLnoMRk942pvU+BA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711612262; a=rsa-sha256; cv=none; b=HiX1pNXiYKLZkbQZO1PXVOJXEVJkfEM9P71RZYge9949FLc+s54lfG66ochaDr31gxJ9vI YuyFHs159d2lm64KVaS4c1T5mQd1iF6UmbOAm/SJJKQQulvrra4Uy7KSZuBAhT/HkRwiXi qJwoFD/vCZySl7vShEYsiNe1MljVdhYl/Unl2/nbkZT6F9o+5KhHSY1ndLN8lrrpSLHLfF XLMVHCyWrX1kFjw6p2SmBXjRQDpgX/0R98IwxipHvjXJqsc+KkGU3jKL7Lc1n+UTJ2e3lv 1Q8T6u8pcCezSbUFEmgTCN5ysbD9bItmtdnNd9iFsg1qMo2jEpSut4XKajhTsw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=UvoGeZXqfrBaLGpLipdeNYbjGkuLVY3uPl27FbuYg7BmpXjbHY5Jqj7goayB1y7iCi13qs Pn3cNlNz6HQ0O+j/tvVl16UMz4e/6sJP460YqH5Ni/QfxvmazjSqDILq8UvHxxtY2EUqgS ABOfsF/nAlrN64eTLFFbc7FsCNwpEzuiQ6zvPL1MvnC7yhSLN5LGkQti1eQS/grBrcsoHh kpPVc0P1/tVrvPnie+38O4FlwunVJqTEjCfx9yqNjIyC4Km5WcLgnyC8O+qmSaYeUKHUKK KUP3DVx6HmpBTK2Z0ExVxIcWzuwQ+EecoO2QPGAOBGhN/ZUB7jPAz8RpQBsNAQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 0A37532C6; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240328075102.0A37532C6@freefall.freebsd.org> Date: Thu, 28 Mar 2024 07:51:02 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:03.unbound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in unbound Category: contrib Module: unbound Announced: 2024-03-28 Affects: FreeBSD 13.2 and FreeBSD 14.0 Corrected: 2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE) 2024-03-28 05:06:26 UTC (releng/14.0, 14.0-RELEASE-p6) 2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE) 2024-03-28 05:07:55 UTC (releng/13.2, 13.2-RELEASE-p11) CVE Name: CVE-2023-50387, CVE-2023-50868 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Unbound is a validating, recursive, and caching DNS resolver. II. Problem Description The KeyTrap vulnerability (CVE-2023-50387) works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path. The NSEC3 vulnerability (CVE-2023-50868) uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path. III. Impact Both issues can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service. IV. Workaround No workaround is available. Systems not running Unbound are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.0] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch.asc # gpg --verify unbound-14.patch.asc [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch.asc # gpg --verify unbound-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -p0 < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ e2b44c401cc2 stable/14-n266696 releng/14.0/ c189b94f8a22 releng/14.0-n265416 stable/13/ abe4ced2b9de stable/13-n257436 releng/13.2/ d9d90e5e42f6 releng/13.2-n254664 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGa4ACgkQbljekB8A Gu8Oxw/9HrzGZVx0FsUb8dhvf6Hlcfy3B0RNjxcnvvBm+P/V0+WSEaFTod9YaonO GN331SXI1blvqfCpOz2TLiOvHjWDPCcb8bb9YqQXRId4axnpxCCzIY0HkxgXFNDu XgXwM4JYapmWis/pOxifRXnB087lwbkfVx/0iOTeA0XUFoRRIbooiL/6H76hOmq7 XR5moI8xYyAX5Xh+5/6yZgd+A+0n/KfQnOEpA7Ex9MWC17co+RGOP1JUZYIFHhAc W/vNuL23UWqR1TjMgVWTHEvVBTrUPEiDfp2Z1LiQexH9IaQ4cePu7qrWlzAo7rr6 6Cf3DybH9IxALQQSSKq1JWNqQFOWvpXCy5JKBua+Z7kcFHR5tmAgolqGLGJ629Ko GNwsSUTZ8SzwupJ93boMaD4jF2t+zOXvBvceYywZEEvd2gq2zkfMV6WJwtUUOvdm z7Z7AejUFONrQyYps4rcKCthnQOLHtzcPUQom68KpUACsdOr1hkA0VOCf5HRrEe6 DpwM9PX1T3eiHSq1eZj2MMkz+Cw/DJK+wegkULRxg2ZOmWKA2U8df+Qj1RYpX4QT JrPSHh4EqovfrB5H0uUgfLWBgAzGBLEeFKAMA+omlEaELyNzvG/4xv8eJVtjTG+D EEQCXVTJmws/ZFDC2vJhVR6vdAwMuPz8YkBtcQkqnNcF+zzbcEk= =PELN -----END PGP SIGNATURE-----