Date: Mon, 8 Jul 2024 06:48:36 +0800 From: Gordon Tetlow <gordon@tetlows.org> To: "Wall, Stephen" <stephen.wall@redcom.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: CVE 2024 1931 - unbound Message-ID: <E85FFAE3-5722-4159-BAE6-91718C7913BC@tetlows.org> In-Reply-To: <MW4PR09MB92843F5CB46E4B10DA4F726AEEDD2@MW4PR09MB9284.namprd09.prod.outlook.com> References: <MW4PR09MB92849E1CFE06CB46D2986DA9EED62@MW4PR09MB9284.namprd09.prod.outlook.com> <86jzi71tjx.fsf@ltc.des.dev> <MW4PR09MB92843F5CB46E4B10DA4F726AEEDD2@MW4PR09MB9284.namprd09.prod.outlook.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] > On Jul 3, 2024, at 9:00 PM, Wall, Stephen <stephen.wall@redcom.com> wrote: > >> From: Dag-Erling Smørgrav <des@FreeBSD.org> >> The base system unbound is meant to be used with a configuration generated by >> `local-unbound-setup`, which never enables the `ede` option which is a >> prerequisite for the DoS attack described in CVE-2024-1931. > > Thanks for your reply. > > Local_unbound_setup supports dropping additional config files in /var/unbound/conf.d, which will be loaded by unbound. Files in this directory are not altered by local_unbound_setup. This implies, to me, that customization of the base unbound is specifically supported, meaning any FreeBSD site could potentially have ede enabled, and therefore by vulnerable to this CVE. > It's my opinion that this warrants at least an advisory cautioning users of FreeBSD not to enable ede, if not a patch to address it. Local DoS’s do not get security advisories (logic here is a local user has a million ways to DoS a system). If the user has messed with the configuration of the local_unbound resolver to open it up to the network and get DoS’d from the remote network, I don’t feel this is something secteam is responsible for responding to. Unbound exists as a port/pkg for the purposes of someone setting up a non-local resolver. Best regards, Gordon Hat: security-officer [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmaLG0QACgkQ5fe8y6O9 3fjF8gf+JLtr7RyclcW0kignz/SmHiopvSDaN/FCwRsCKhFcZDG3cRnV9/13Yvrw rcFoHKpjfUgfvXDxqTuUKuegqZ81hF/7s7xdeKkK5rkenVKobDs6kv9tjnzIP0tV AIcDLyuug8pW3cTp/LuCmM6OOxX+44mvRLTcBqlFvzLBlfi06qiNpQ9tEyrkuoI4 HDj/FyysdjCzeauciwpKJ34074RV3/zktwzmp6F3A+NyKe00n+EPYiu4y5XmMhQf ZdVxeLFLAFCgHjsfVHcdCTQmUuxrZdT9hAFVLAFYi9PutKH/ZXCTzp+tzNpxMdbM z6Uxej68q2K6Hni4hpgal4yqWyCurw== =oKhf -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E85FFAE3-5722-4159-BAE6-91718C7913BC>