Bug 1507049 (CVE-2017-15105)

Summary: CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmoppert, pemensik, philporada, pj.pandit, pwouters, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: unbound 1.6.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way unbound validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:30:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1536510, 1536518    
Bug Blocks: 1507052    

Description Pedro Sampaio 2017-10-27 14:11:08 UTC 
A vulnerability was discovered in DNSSEC. Processing of wildcard synthesized NSEC records may result in improper validation for non-existance in some implementations of DNSSEC. While synthesis of NSEC records is allowed by RFC4592, the synthesized owner names should not be used in the NSEC processing.
Comment 1 Pedro Sampaio 2017-10-27 14:11:17 UTC 
Acknowledgments:

Name: Ralph Dolmans (NLnet Labs), Karst Koymans (University of Amsterdam)
Comment 5 Adam Mariš 2018-01-19 14:45:24 UTC 
Statement:

This issue affects the versions of unbound as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 6 Adam Mariš 2018-01-19 14:45:28 UTC 
External References:

https://unbound.net/downloads/CVE-2017-15105.txt
Comment 8 Adam Mariš 2018-01-19 14:59:25 UTC 
Created unbound tracking bugs for this issue:

Affects: fedora-all [bug 1536518]