CVE-2024-1931

Denial of service when trimming EDE text on positive replies

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

NLnet Labs Unbound versión 1.18.0 hasta la versión 1.19.1 incluida contiene una vulnerabilidad que puede causar denegación de servicio mediante una determinada ruta de código que puede conducir a un bucle infinito. Unbound 1.18.0 introdujo una característica que elimina los registros EDE de las respuestas con un tamaño superior al tamaño de búfer anunciado por el cliente. Sin embargo, antes de eliminar todos los registros EDE, intentaría ver si recortar los campos de texto adicionales en esos registros daría como resultado un tamaño aceptable y al mismo tiempo conservaría los códigos EDE. Debido a una condición no marcada, el código que recorta el texto de los registros EDE podría repetirse indefinidamente. Esto sucede cuando Unbound responde con información EDE adjunta en una respuesta positiva y el tamaño del búfer del cliente es menor que el espacio necesario para incluir registros EDE. La vulnerabilidad sólo puede activarse cuando se utiliza la opción 'ede: yes'; configuración no predeterminada. A partir de la versión 1.19.2, el código se corrige para evitar bucles indefinidos.

*Credits: Fredrik Pettai, SUNET, Patrik Lundin, SUNET

CVSS Scores

NLnet Labsv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-27 CVE Reserved
2024-03-07 CVE Published
2024-07-06 EPSS Updated
2024-08-13 First Exploit
2024-08-28 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (7)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VCBRQ7KMSIGBQ6A4SBL5PF326DIJIIV
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2JUIFPA7H75Q2W3VXW2TUNHK6NVGOX4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBR4H7RCVMJ6H76S4LLRSY5EBFTYWGXK
https://lists.freebsd.org/archives/freebsd-security/2024-July/000283.html
https://security.netapp.com/advisory/ntap-20240705-0006

URL	Date	SRC
https://github.com/passer12/CVE-2024-1931-reproduction	2024-08-13

URL	Date	SRC

URL	Date	SRC
https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt	2024-07-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
NLnet Labs Search vendor "NLnet Labs"		Unbound Search vendor "NLnet Labs" for product "Unbound"				>= 1.18.0 < 1.19.2 Search vendor "NLnet Labs" for product "Unbound" and version " >= 1.18.0 < 1.19.2"		en		Affected