FreeBSD Security Advisory FreeBSD-SA-24:03.unbound

From: FreeBSD Security Advisories <security-advisories_at_freebsd.org>
Date: Thu, 28 Mar 2024 07:51:02 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-24:03.unbound                                    Security Advisory
                                                          The FreeBSD Project

Topic:          Multiple vulnerabilities in unbound

Category:       contrib
Module:         unbound
Announced:      2024-03-28
Affects:        FreeBSD 13.2 and FreeBSD 14.0
Corrected:      2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE)
                2024-03-28 05:06:26 UTC (releng/14.0, 14.0-RELEASE-p6)
                2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE)
                2024-03-28 05:07:55 UTC (releng/13.2, 13.2-RELEASE-p11)
CVE Name:       CVE-2023-50387, CVE-2023-50868

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

Unbound is a validating, recursive, and caching DNS resolver.

II.  Problem Description

The KeyTrap vulnerability (CVE-2023-50387) works by using a combination of Keys
(also colliding Keys), Signatures and number of RRSETs on a malicious zone.
Answers from that zone can force a DNSSEC validator down a very CPU intensive
and time costly validation path.

The NSEC3 vulnerability (CVE-2023-50868) uses specially crafted responses on a
malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a
very CPU intensive and time costly NSEC3 hash calculation path.


III. Impact

Both issues can force Unbound to spend an enormous time (comparative to regular
traffic) validating a single specially crafted DNSSEC response while everything
else is on hold for that thread.  A trivially orchestrated attack could render
all threads busy with such responses leading to denial of service.

IV.  Workaround

No workaround is available.  Systems not running Unbound are not affected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 14.0]
# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch
# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch.asc
# gpg --verify unbound-14.patch.asc

[FreeBSD 13.2]
# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch
# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch.asc
# gpg --verify unbound-13.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch -p0 < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              e2b44c401cc2    stable/14-n266696
releng/14.0/                            c189b94f8a22  releng/14.0-n265416
stable/13/                              abe4ced2b9de    stable/13-n257436
releng/13.2/                            d9d90e5e42f6  releng/13.2-n254664
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:03.unbound.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGa4ACgkQbljekB8A
Gu8Oxw/9HrzGZVx0FsUb8dhvf6Hlcfy3B0RNjxcnvvBm+P/V0+WSEaFTod9YaonO
GN331SXI1blvqfCpOz2TLiOvHjWDPCcb8bb9YqQXRId4axnpxCCzIY0HkxgXFNDu
XgXwM4JYapmWis/pOxifRXnB087lwbkfVx/0iOTeA0XUFoRRIbooiL/6H76hOmq7
XR5moI8xYyAX5Xh+5/6yZgd+A+0n/KfQnOEpA7Ex9MWC17co+RGOP1JUZYIFHhAc
W/vNuL23UWqR1TjMgVWTHEvVBTrUPEiDfp2Z1LiQexH9IaQ4cePu7qrWlzAo7rr6
6Cf3DybH9IxALQQSSKq1JWNqQFOWvpXCy5JKBua+Z7kcFHR5tmAgolqGLGJ629Ko
GNwsSUTZ8SzwupJ93boMaD4jF2t+zOXvBvceYywZEEvd2gq2zkfMV6WJwtUUOvdm
z7Z7AejUFONrQyYps4rcKCthnQOLHtzcPUQom68KpUACsdOr1hkA0VOCf5HRrEe6
DpwM9PX1T3eiHSq1eZj2MMkz+Cw/DJK+wegkULRxg2ZOmWKA2U8df+Qj1RYpX4QT
JrPSHh4EqovfrB5H0uUgfLWBgAzGBLEeFKAMA+omlEaELyNzvG/4xv8eJVtjTG+D
EEQCXVTJmws/ZFDC2vJhVR6vdAwMuPz8YkBtcQkqnNcF+zzbcEk=
=PELN
-----END PGP SIGNATURE-----