CVE-2022-30698
Novel "ghost domain names" attack by introducing subdomain delegations
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.
NLnet Labs Unbound, versiones hasta 1.16.1 incluyéndola, es vulnerable a un nuevo tipo de ataque "ghost domain names". La vulnerabilidad funciona al apuntar a una instancia de Unbound. Unbound es consultado por un subdominio de un nombre de dominio falso. El servidor de nombres falso devuelve información de delegación para el subdominio que actualiza la caché de delegación de Unbound. Esta acción puede repetirse antes de que caduque la información de delegación, consultando a Unbound por un subdominio de segundo nivel al que el servidor de nombres falso proporcione nueva información de delegación. Dado que Unbound es un resolvedor centrado en los hijos, la información de delegación de los hijos, que es actualizada constantemente, puede mantener un nombre de dominio falso resoluble mucho tiempo después de su revocación. A partir de la versión 1.16.2, Unbound comprueba la validez de los registros de delegación padre antes de usar la información de delegación almacenada en caché
A flaw was found in Unbound, which is vulnerable to a novel type of "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before the expiry of the delegation information by querying Unbound for a second-level subdomain in which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-13 CVE Reserved
- 2022-08-01 CVE Published
- 2024-06-17 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-613: Insufficient Session Expiration
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nlnetlabs Search vendor "Nlnetlabs" | Unbound Search vendor "Nlnetlabs" for product "Unbound" | < 1.16.2 Search vendor "Nlnetlabs" for product "Unbound" and version " < 1.16.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||