From nobody Thu Mar 28 07:51:02 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V4whQ2kVZz5GQfg for ; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V4whQ168cz4mGJ; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=B6wTKPP9HbMGL0F9CbjVMXdopM7kLtfRE0c9VR3PMHTtZusQAlp0ZizI2lJIV5G2+GEMww ZutYNeLEMqk4VuJSHR9Nf+b7RPM1SrDQB87Jipl3WkfC4jZ9FCLw9tpF5mIQT0Q90CeoU2 XtLoTw4EDWghCvkjKLAbcCPjK605KiREIe+nGbTarUDcxgxQuFLI7mXBY0mupFQgC2g1XK issktuTXTC5rvzHGsHMfqNMQz+5UsIGGAXgKqNsWrt8MwqLZi9QqohoXc24ZS8TFXYDaGh l1Bx7uTK6uCwnnitVCgTG8viBJSnr8FnFMQTOgx3TL4DbpEon8nsP/awq7ad+A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711612262; a=rsa-sha256; cv=none; b=cQ5CsQ/SfDDGstp9e05dtnaUZjR/s57ATiRI1CoWTNR9EfW3Skgsck1ErZCDGCpc+tDof5 GV/eTgEcI0pUBR4Y6wbJjrjpMfr4AnM8VfJKUgZQ3RR5zLqiPhQB1EnaW6ICukeHOVGZEB XeZ+0euPTC68fTujVszIZnu1xeAnLZqYoiRlpNaosnn9d48HQuVhrLgVVmaphgp5MwOf0/ N26rshd4Z1c3LmAni+wFQL0TpdZKfjF8nmoGcx7I2X+QP33boSr+vzUCTL7ow87DsDkoa6 7pmJURirzSH9DgR+HqDboJ68Iu6tIfxGg5kE6tF5e8kYuCyrhqx2IIByg4efFg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=W9lJ0Ly45lrn+ubfbaQPwJIZRRoGA7+d1ObeJOIEQYDLZN6DUuQB4WPQBXv+HuIjNJHefj 3O17BNDuL6slcUn7jBZFGqe7vv0tb7wEsdXT5bjUr7HvgXKlPWpHgSIBPE20UeY2ipbIRq X+KTcLh26osX7LkblQ9xUeVWGPobRxdh5ySnDAz6uByFE5pZdm+GG3gP8fT38uh6/v4LZx Wp0cg3fjDdLpfo9xjTZEZt3zOJJbylNIlpZN69DNxG4JtvOxfVqvX7s2L5u0TvmH5qPvwc D1zlVc9cAyYIBIxkh8KYR3MoGgJ6x/7tXCMiSnk946b+DMLCoGcH+dE69ehg8w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1611431F2; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240328075102.1611431F2@freefall.freebsd.org> Date: Thu, 28 Mar 2024 07:51:02 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:03.unbound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in unbound Category: contrib Module: unbound Announced: 2024-03-28 Affects: FreeBSD 13.2 and FreeBSD 14.0 Corrected: 2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE) 2024-03-28 05:06:26 UTC (releng/14.0, 14.0-RELEASE-p6) 2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE) 2024-03-28 05:07:55 UTC (releng/13.2, 13.2-RELEASE-p11) CVE Name: CVE-2023-50387, CVE-2023-50868 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Unbound is a validating, recursive, and caching DNS resolver. II. Problem Description The KeyTrap vulnerability (CVE-2023-50387) works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path. The NSEC3 vulnerability (CVE-2023-50868) uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path. III. Impact Both issues can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service. IV. Workaround No workaround is available. Systems not running Unbound are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.0] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch.asc # gpg --verify unbound-14.patch.asc [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch.asc # gpg --verify unbound-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -p0 < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ e2b44c401cc2 stable/14-n266696 releng/14.0/ c189b94f8a22 releng/14.0-n265416 stable/13/ abe4ced2b9de stable/13-n257436 releng/13.2/ d9d90e5e42f6 releng/13.2-n254664 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGa4ACgkQbljekB8A Gu8Oxw/9HrzGZVx0FsUb8dhvf6Hlcfy3B0RNjxcnvvBm+P/V0+WSEaFTod9YaonO GN331SXI1blvqfCpOz2TLiOvHjWDPCcb8bb9YqQXRId4axnpxCCzIY0HkxgXFNDu XgXwM4JYapmWis/pOxifRXnB087lwbkfVx/0iOTeA0XUFoRRIbooiL/6H76hOmq7 XR5moI8xYyAX5Xh+5/6yZgd+A+0n/KfQnOEpA7Ex9MWC17co+RGOP1JUZYIFHhAc W/vNuL23UWqR1TjMgVWTHEvVBTrUPEiDfp2Z1LiQexH9IaQ4cePu7qrWlzAo7rr6 6Cf3DybH9IxALQQSSKq1JWNqQFOWvpXCy5JKBua+Z7kcFHR5tmAgolqGLGJ629Ko GNwsSUTZ8SzwupJ93boMaD4jF2t+zOXvBvceYywZEEvd2gq2zkfMV6WJwtUUOvdm z7Z7AejUFONrQyYps4rcKCthnQOLHtzcPUQom68KpUACsdOr1hkA0VOCf5HRrEe6 DpwM9PX1T3eiHSq1eZj2MMkz+Cw/DJK+wegkULRxg2ZOmWKA2U8df+Qj1RYpX4QT JrPSHh4EqovfrB5H0uUgfLWBgAzGBLEeFKAMA+omlEaELyNzvG/4xv8eJVtjTG+D EEQCXVTJmws/ZFDC2vJhVR6vdAwMuPz8YkBtcQkqnNcF+zzbcEk= =PELN -----END PGP SIGNATURE-----