CVE-2014-8602
unbound: specially crafted request can lead to denial of service
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
iterator.c en NLnet Labs Unbound anterior a 1.5.1 no limita el encadenamiento de la delegación, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria y CPU) a través de un número grande o infinito de remisiones.
A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources.
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-11-04 CVE Reserved
- 2014-12-11 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.html | Third Party Advisory | |
| http://www.kb.cert.org/vuls/id/264212 | Third Party Advisory |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/71589 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://unbound.net/downloads/patch_cve_2014_8602.diff | 2016-11-28 | |
| https://unbound.net/downloads/CVE-2014-8602.txt | 2016-11-28 |
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2014/dsa-3097 | 2016-11-28 | |
| http://www.ubuntu.com/usn/USN-2484-1 | 2016-11-28 | |
| https://access.redhat.com/security/cve/CVE-2014-8602 | 2015-11-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1172065 | 2015-11-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nlnetlabs Search vendor "Nlnetlabs" | Unbound Search vendor "Nlnetlabs" for product "Unbound" | <= 1.5.0 Search vendor "Nlnetlabs" for product "Unbound" and version " <= 1.5.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||