2116725 – (CVE-2022-30698) CVE-2022-30698 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names

Bug 2116725 (CVE-2022-30698) - CVE-2022-30698 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names

Summary: CVE-2022-30698 unbound: novel ghost domain attack that allows attackers to tr...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-30698
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2116730 2116731 2116732 2116733
Blocks:	2113806
TreeView+	depends on / blocked

Reported:	2022-08-09 09:19 UTC by Sandipan Roy
Modified:	2022-12-06 12:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:	unbound 1.16.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Unbound, which is vulnerable to a novel type of "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before the expiry of the delegation information by querying Unbound for a second-level subdomain in which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation.
Clone Of:
Environment:
Last Closed:	2022-12-06 12:20:28 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:7622	0	None	None	None	2022-11-08 09:51:05 UTC
Red Hat Product Errata	RHSA-2022:8062	0	None	None	None	2022-11-15 10:08:13 UTC

Description Sandipan Roy 2022-08-09 09:19:53 UTC

NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.

https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt

Comment 1 Sandipan Roy 2022-08-09 09:26:52 UTC

Upstream Patch: https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68

Comment 2 Sandipan Roy 2022-08-09 09:28:02 UTC

Created unbound tracking bugs for this issue:

Affects: fedora-35 [bug 2116731]
Affects: fedora-36 [bug 2116732]

Comment 4 errata-xmlrpc 2022-11-08 09:51:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7622 https://access.redhat.com/errata/RHSA-2022:7622

Comment 5 errata-xmlrpc 2022-11-15 10:08:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8062 https://access.redhat.com/errata/RHSA-2022:8062

Comment 6 Product Security DevOps Team 2022-12-06 12:20:26 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30698

Note You need to log in before you can comment on or make changes to this bug.