CVE-2014-8602
unbound: specially crafted request can lead to denial of service
Severity Score
4.3
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
iterator.c en NLnet Labs Unbound anterior a 1.5.1 no limita el encadenamiento de la delegación, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria y CPU) a través de un número grande o infinito de remisiones.
A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-11-04 CVE Reserved
- 2014-12-11 CVE Published
- 2024-07-23 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.html | Third Party Advisory | |
| http://www.kb.cert.org/vuls/id/264212 | Third Party Advisory |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/71589 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://unbound.net/downloads/patch_cve_2014_8602.diff | 2016-11-28 | |
| https://unbound.net/downloads/CVE-2014-8602.txt | 2016-11-28 |
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2014/dsa-3097 | 2016-11-28 | |
| http://www.ubuntu.com/usn/USN-2484-1 | 2016-11-28 | |
| https://access.redhat.com/security/cve/CVE-2014-8602 | 2015-11-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1172065 | 2015-11-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nlnetlabs Search vendor "Nlnetlabs" | Unbound Search vendor "Nlnetlabs" for product "Unbound" | <= 1.5.0 Search vendor "Nlnetlabs" for product "Unbound" and version " <= 1.5.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||