2128947 – (CVE-2022-3204) CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack)

Bug 2128947 (CVE-2022-3204) - CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack)

Summary: CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource con...

Keywords:
Status:	NEW
Alias:	CVE-2022-3204
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2128964 2128965 2128953
Blocks:	2128841
TreeView+	depends on / blocked

Reported:	2022-09-22 04:37 UTC by Sandipan Roy
Modified:	2022-11-14 23:22 UTC (History)
CC List:	44 users (show)
Fixed In Version:	unbound 1.16.3
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in unbound. The attack can cause a resolver to spend a lot of time and resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. This issue can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, leading to degraded performance and, eventually, a denial of service in orchestrated attacks.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sandipan Roy 2022-09-22 04:37:19 UTC

The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks.

Upstream has issued an advisory today (September 21):
https://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt

The issue is fixed upstream in 1.16.3:
https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3

Comment 1 TEJ RATHI 2022-09-22 05:30:56 UTC

Created unbound tracking bugs for this issue:

Affects: fedora-all [bug 2128953]

Note You need to log in before you can comment on or make changes to this bug.

aegorenkov.91
akhaitovich
alazarot
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
emingora
etirelli
fjuma
go-sig
ibek
iweiss
jochrist
jrokos
jwon
kverlaen
lgao
me
mnovotny
mosmerov
msochure
msvehla
nwallace
paul.wouters
pemensik
petersen
pjindal
pj.pandit
pmackay
reallylongword
redhat-bugzilla
rguimara
rrajasek
rstancel
smaestri
tom.jenkinson
tzimanyi
zebob.m