CVE-2022-3204

NRDelegation Attack

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.

Se ha detectado una vulnerabilidad denominada "Non-Responsive Delegation Attack" (NRDelegation Attack) en varios programas de resolución de DNS. El ataque NRDelegation funciona teniendo una delegación maliciosa con un número considerable de servidores de nombre que no responden. El ataque comienza al consultar a un resolver un registro que depende de esos servidores de nombre que no responden. El ataque puede causar que un resolver gaste mucho tiempo/recursos resolviendo registros bajo un punto de delegación malicioso donde reside un número considerable de registros NS que no responden. Puede desencadenar un alto uso de la CPU en algunas implementaciones del resolver que buscan continuamente en la caché los registros NS resueltos en esa delegación. Esto puede conllevar a una degradación del rendimiento y, eventualmente, una denegación de servicio en ataques orquestados. Unbound no sufre un alto uso de la CPU, pero los recursos siguen siendo necesarios para resolver la delegación maliciosa. Unbound seguirá intentando resolver el registro hasta que sean alcanzados los límites establecidos. Según la naturaleza del ataque y las respuestas, pueden alcanzarse diferentes límites. A partir de la versión 1.16.3, Unbound introduce correcciones para mejorar el rendimiento cuando está bajo carga, al recortar las consultas oportunistas para la detección de servidores de nombres y la precarga de DNSKEY y limitando el número de veces que un punto de delegación puede emitir una búsqueda en la caché para los registros faltantes.

A vulnerability was found in unbound. The attack can cause a resolver to spend a lot of time and resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. This issue can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, leading to degraded performance and, eventually, a denial of service in orchestrated attacks.

*Credits: We would like to thank Yehuda Afek from Tel-Aviv University, Anat Bremler-Barr and Shani Stajnrod from Reichman University for discovering and disclosing the vulnerability.

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-13 CVE Reserved
2022-09-26 CVE Published
2024-05-17 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (8)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35QGS5FBQTG3DBSK7QV67PA64P24ABHY	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4EU6DMJXQFMAIE6SLAH4H5RNRU6VQL	2023-11-07
https://security.gentoo.org/glsa/202212-02	2023-11-07
https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-3204	2024-04-25
https://bugzilla.redhat.com/show_bug.cgi?id=2128947	2024-04-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nlnetlabs Search vendor "Nlnetlabs"		Unbound Search vendor "Nlnetlabs" for product "Unbound"				<= 1.16.2 Search vendor "Nlnetlabs" for product "Unbound" and version " <= 1.16.2"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected