From nobody Thu Mar 28 07:51:02 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V4whQ2nPJz5GQfh for ; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V4whQ0h74z4mSD; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=jsrjo4ntofYtmcA8BqHpo5lza6m94aeqkzeswELJKQsvwaFGOfUduW+yn4603ylvupZ7vJ Qb8vSqBfrZoxVGO3ST8HkqCey2xAAhSM9TwXrKt6XIgF4P9vEFwxzXqxJlT88Z+hhHClOl 8QlceQgNg077VcxuGz/OmhLsENpQ4l4P0uWx8/X6Crzw9OhYeggfalJSVsszgycf5tfSAk 1lOBlsTx01cEqKgFhZFIpsS55v+p0Rs6tlxzfTlyEWzsrU7sq/InaBM5D15fpLNPEUJ1mu 9oVJt1ps995xKTWodCWCorUAisAWX1Wc5zVVQ7qWe+w8YVkgfUodGoYgd75qLQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711612262; a=rsa-sha256; cv=none; b=qOHTKNndyQnqjM4sKt5GG9YIJ4BUC8jjPjjJmGsl7wjQuhgEtXgcGpUBjERAZWZHlRdJac WDDoAKpidEwaK2TYVlyWOBfk8vqJA1piPYazOjU3zqNo7GTyVWWzcM6oBxl1AZy7HsJB6o +oLdnljXERHIz02mPzx5dxiOg+9xLyY8XK12BY7DoVZglvjhHsNQykx6IJRWb6igKILB0h IU0LWq4YsOh5L/ozb3f/GaOiLFGhV/nHc3HnIZMJSOlRxcMpNxn6i9K0OF9aYlwfH+A1Bv fEX6Qi9yWcj4JVcJKROdWVDSG7/mQQeet6x2OSxFztyuUIjw4XIg/48790q+fQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=Y7dZqGJISoHOkA9KcUP76NIMDiKy3q3mScx6qFB9QUvM9llgL8rqWuarMq2vMHg2lukkpv IV5x1zYyW1N0NPpQFUbEv9Mywq7L1wbd6DsQ7gYIe5KAJGQ0GWfc5c0TjC4lUpEuDgDdfu 2uJZscHrc3VkFrdwV9G0G5l+eZ1QJ3Q+xGJqwP+kswRhmenV2WtlyY7kH52rvLhVDFswNQ dJI98I6srFBaeSymn3bhgTpnZC5J0KPaFckqdatgQymudXoq8WJ6elhCWvMN8zMlIgSq5k /4+j865mDABGdytATMBduWVeZOSZWSAClfBavUGhwSytyFNYsbS7p6CrX+a4Gg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 10441343C; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240328075102.10441343C@freefall.freebsd.org> Date: Thu, 28 Mar 2024 07:51:02 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:03.unbound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in unbound Category: contrib Module: unbound Announced: 2024-03-28 Affects: FreeBSD 13.2 and FreeBSD 14.0 Corrected: 2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE) 2024-03-28 05:06:26 UTC (releng/14.0, 14.0-RELEASE-p6) 2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE) 2024-03-28 05:07:55 UTC (releng/13.2, 13.2-RELEASE-p11) CVE Name: CVE-2023-50387, CVE-2023-50868 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Unbound is a validating, recursive, and caching DNS resolver. II. Problem Description The KeyTrap vulnerability (CVE-2023-50387) works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path. The NSEC3 vulnerability (CVE-2023-50868) uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path. III. Impact Both issues can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service. IV. Workaround No workaround is available. Systems not running Unbound are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.0] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch.asc # gpg --verify unbound-14.patch.asc [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch.asc # gpg --verify unbound-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -p0 < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ e2b44c401cc2 stable/14-n266696 releng/14.0/ c189b94f8a22 releng/14.0-n265416 stable/13/ abe4ced2b9de stable/13-n257436 releng/13.2/ d9d90e5e42f6 releng/13.2-n254664 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGa4ACgkQbljekB8A Gu8Oxw/9HrzGZVx0FsUb8dhvf6Hlcfy3B0RNjxcnvvBm+P/V0+WSEaFTod9YaonO GN331SXI1blvqfCpOz2TLiOvHjWDPCcb8bb9YqQXRId4axnpxCCzIY0HkxgXFNDu XgXwM4JYapmWis/pOxifRXnB087lwbkfVx/0iOTeA0XUFoRRIbooiL/6H76hOmq7 XR5moI8xYyAX5Xh+5/6yZgd+A+0n/KfQnOEpA7Ex9MWC17co+RGOP1JUZYIFHhAc W/vNuL23UWqR1TjMgVWTHEvVBTrUPEiDfp2Z1LiQexH9IaQ4cePu7qrWlzAo7rr6 6Cf3DybH9IxALQQSSKq1JWNqQFOWvpXCy5JKBua+Z7kcFHR5tmAgolqGLGJ629Ko GNwsSUTZ8SzwupJ93boMaD4jF2t+zOXvBvceYywZEEvd2gq2zkfMV6WJwtUUOvdm z7Z7AejUFONrQyYps4rcKCthnQOLHtzcPUQom68KpUACsdOr1hkA0VOCf5HRrEe6 DpwM9PX1T3eiHSq1eZj2MMkz+Cw/DJK+wegkULRxg2ZOmWKA2U8df+Qj1RYpX4QT JrPSHh4EqovfrB5H0uUgfLWBgAzGBLEeFKAMA+omlEaELyNzvG/4xv8eJVtjTG+D EEQCXVTJmws/ZFDC2vJhVR6vdAwMuPz8YkBtcQkqnNcF+zzbcEk= =PELN -----END PGP SIGNATURE-----