CVE-2019-18934

unbound: command injection with data coming from a specially crafted IPSECKEY answer

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.

Unbound versiones 1.6.4 hasta 1.9.4, contiene una vulnerabilidad en el módulo ipsec que puede causar una ejecución de código de shell después de recibir una respuesta especialmente diseñada. Este problema solo puede ser activado si unbound fue compilado con el soporte "--enable-ipsecmod", e ipsecmod está habilitado y usado en la configuración.

A shell command injection vulnerability was discovered in the way unbound handles DNS queries for systems with a public key used for IPsec. When ipsecmod is enabled, a malicious DNS server could send a DNS reply which would be used during a following DNS query to execute shell commands with the privileges of the unbound process. The same attack could be performed by an attacker who can modify data transmitted over the network, before it reaches the unbound server, if DNSSEC is not used.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-11-13 CVE Reserved
2019-11-19 CVE Published
2023-04-08 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (9)

URL	Tag	Source
https://github.com/NLnetLabs/unbound/blob/release-1.9.5/doc/Changelog	Release Notes

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2019/11/19/1	2024-08-05

URL	Date	SRC
https://www.nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCR6JP7MSRARTOGEHGST64G4FJGX5VK	2023-11-07
https://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-18934	2020-04-28
https://bugzilla.redhat.com/show_bug.cgi?id=1776762	2020-04-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nlnetlabs Search vendor "Nlnetlabs"		Unbound Search vendor "Nlnetlabs" for product "Unbound"				>= 1.6.4 <= 1.9.4 Search vendor "Nlnetlabs" for product "Unbound" and version " >= 1.6.4 <= 1.9.4"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected