From nobody Sun Jul 07 22:48:36 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WHMqr0ymTz5QG7R for ; Sun, 07 Jul 2024 22:48:56 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from pv50p00im-zteg10021401.me.com (pv50p00im-zteg10021401.me.com [17.58.6.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WHMqq0nPpz4XZq for ; Sun, 7 Jul 2024 22:48:55 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=RAJYgHBm; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.6.47 as permitted sender) smtp.mailfrom=gordon@tetlows.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1720392532; bh=WgB+uThaIX8BGQlgVa986WpJb86tw7spthZycFBfF+E=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=RAJYgHBm+6GZRdzXD6tm7Js0rKhrD6o+2FGdGhDx02DcTzbwD86vEvKnWSrzQa2cc 65C6CRIKlwteokNNz2AqM8plUaN0GJpo47hY0A7kobyEfTbzzd7ma7guktb0mJ5z+U NmHiC4M6g+/+5aqdS0ITyUpIjDEsqCYkNBwYr61tgF0s9W2VgFKHjd7FPv0w4vXQ72 otPcAsQ/NScUyVg3KvbrH8zHX06i+I7bmuB1V+9uS6VTqRLmXQc2x3Euwl3GsJvVMW beAsZ8wW9sfZfUxpAgZ1XrO+nZ+D/uugXhY1kcVCYtVNQ1HgEgJAncY4drVGYXypCF 4KAoXRCI081ng== Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com [17.56.9.10]) by pv50p00im-zteg10021401.me.com (Postfix) with ESMTPSA id 8399D8E0133; Sun, 7 Jul 2024 22:48:49 +0000 (UTC) Content-Type: multipart/signed; boundary="Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: CVE 2024 1931 - unbound From: Gordon Tetlow In-Reply-To: Date: Mon, 8 Jul 2024 06:48:36 +0800 Cc: "freebsd-security@freebsd.org" Message-Id: References: <86jzi71tjx.fsf@ltc.des.dev> To: "Wall, Stephen" X-Mailer: Apple Mail (2.3774.600.62) X-Proofpoint-GUID: xZgxBiHpI_YPtmOZMm9j6kv2WEfLBXpA X-Proofpoint-ORIG-GUID: xZgxBiHpI_YPtmOZMm9j6kv2WEfLBXpA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-07_08,2024-07-05_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 suspectscore=0 clxscore=1030 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2407070190 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.06 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.959]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; RWL_MAILSPIKE_GOOD(-0.10)[17.58.6.47:from]; ONCE_RECEIVED(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[tetlows.org:+]; RCVD_TLS_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[gordon]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; APPLE_MAILER_COMMON(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.0.0/20, country:US]; TO_DN_SOME(0.00)[] X-Rspamd-Queue-Id: 4WHMqq0nPpz4XZq --Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jul 3, 2024, at 9:00=E2=80=AFPM, Wall, Stephen = wrote: >=20 >> From: Dag-Erling Sm=C3=B8rgrav >> The base system unbound is meant to be used with a configuration = generated by >> `local-unbound-setup`, which never enables the `ede` option which is = a >> prerequisite for the DoS attack described in CVE-2024-1931. >=20 > Thanks for your reply. >=20 > Local_unbound_setup supports dropping additional config files in = /var/unbound/conf.d, which will be loaded by unbound. Files in this = directory are not altered by local_unbound_setup. This implies, to me, = that customization of the base unbound is specifically supported, = meaning any FreeBSD site could potentially have ede enabled, and = therefore by vulnerable to this CVE. > It's my opinion that this warrants at least an advisory cautioning = users of FreeBSD not to enable ede, if not a patch to address it. Local DoS=E2=80=99s do not get security advisories (logic here is a = local user has a million ways to DoS a system). If the user has messed = with the configuration of the local_unbound resolver to open it up to = the network and get DoS=E2=80=99d from the remote network, I don=E2=80=99t= feel this is something secteam is responsible for responding to. Unbound exists as a port/pkg for the purposes of someone setting up a = non-local resolver. Best regards, Gordon Hat: security-officer= --Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmaLG0QACgkQ5fe8y6O9 3fjF8gf+JLtr7RyclcW0kignz/SmHiopvSDaN/FCwRsCKhFcZDG3cRnV9/13Yvrw rcFoHKpjfUgfvXDxqTuUKuegqZ81hF/7s7xdeKkK5rkenVKobDs6kv9tjnzIP0tV AIcDLyuug8pW3cTp/LuCmM6OOxX+44mvRLTcBqlFvzLBlfi06qiNpQ9tEyrkuoI4 HDj/FyysdjCzeauciwpKJ34074RV3/zktwzmp6F3A+NyKe00n+EPYiu4y5XmMhQf ZdVxeLFLAFCgHjsfVHcdCTQmUuxrZdT9hAFVLAFYi9PutKH/ZXCTzp+tzNpxMdbM z6Uxej68q2K6Hni4hpgal4yqWyCurw== =oKhf -----END PGP SIGNATURE----- --Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63--