Vigil@nce: Unbound, non verification of NSEC3
October 2009 by Vigil@nce
When an attacker can spoof DNS packets, he can poison the Unbound
cache with fake data.
Severity: 2/4
Consequences: data creation/edition, data deletion, denial of
service of service
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/10/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
DNSSEC extensions are used to sign DNS records in order to avoid
spoofed packets.
The Unbound product is a DNS server handling DNSSEC extensions.
When a DNS packet is received, the nsec3_prove_nods() function in
file validator/val_nsec3.c handles NSEC3 records. However, this
function does not verify the provided signature. An attacker can
therefore send DNS packets with an invalid signature. Those
packets are not rejected.
When an attacker can spoof DNS packets, he can thus poison the
Unbound cache with fake data.
CHARACTERISTICS
Identifiers: CVE-2009-3602, VIGILANCE-VUL-9082
http://vigilance.fr/vulnerability/Unbound-non-verification-of-NSEC3-9082