SB2019100319 - Denial of service in Unbound
Published: October 3, 2019 Updated: June 25, 2020
Security Bulletin ID
SB2019100319
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2019-16866)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack
The vulnerability exists due to a boundary error when processing NOTIFY queries in Unbound. A remote attacker can send a specially crafted NOTIFY query, trigger uninitialized memory access and crash the service.
Successful exploitation of this vulnerability requires that the source IP address of the query matches an access-control rule.
Remediation
Install update from vendor's website.
References
- https://github.com/NLnetLabs/unbound/blob/release-1.9.4/doc/Changelog
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E65NCWZZB2D75ZIYWPXKMVGSGNYW4JMC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLRHE7TQFAOV4MB2ELTOGESZYUL65NUJ/
- https://nlnetlabs.nl/downloads/unbound/CVE-2019-16866.txt
- https://seclists.org/bugtraq/2019/Oct/23
- https://usn.ubuntu.com/4149-1/
- https://www.debian.org/security/2019/dsa-4544