Vulnerabilities > CVE-2009-3602 - Cryptographic Issues vulnerability in Nlnetlabs Unbound
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Unbound before 1.3.4 does not properly verify signatures for NSEC3 records, which allows remote attackers to cause secure delegations to be downgraded via DNS spoofing or other DNS-related attacks in conjunction with crafted delegation responses.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_1_UNBOUND-100218.NASL description Unbound did not check signatures on NSEC3 records which allowed attackers who could spoof DNS responses to bypass DNSSEC. (CVE-2009-3602: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)) last seen 2020-06-01 modified 2020-06-02 plugin id 44682 published 2010-02-23 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44682 title openSUSE Security Update : unbound (unbound-2015) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1963.NASL description It was discovered that Unbound, a DNS resolver, does not properly check cryptographic signatures on NSEC3 records. As a result, zones signed with the NSEC3 variant of DNSSEC lose their cryptographic protection. (An attacker would still have to carry out an ordinary cache poisoning attack to add bad data to the cache.) last seen 2020-06-01 modified 2020-06-02 plugin id 44828 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44828 title Debian DSA-1963-1 : unbound - cryptographic implementation error NASL family SuSE Local Security Checks NASL id SUSE_11_2_UNBOUND-100218.NASL description Unbound did not check signatures on NSEC3 records which allowed attackers who could spoof DNS responses to bypass DNSSEC. (CVE-2009-3602: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)) last seen 2020-06-01 modified 2020-06-02 plugin id 44685 published 2010-02-23 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44685 title openSUSE Security Update : unbound (unbound-2015) NASL family DNS NASL id UNBOUND_1_3_4.NASL description According to its self-reported version number, the remote Unbound DNS resolver is affected by a remote DNS spoofing vulnerability when verifying NSEC3 signatures. last seen 2020-06-01 modified 2020-06-02 plugin id 106379 published 2018-01-26 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106379 title Unbound < 1.3.4 NSEC3 Signature Verification DNS Spoofing Vulnerability (CVE-2009-3602)
References
- http://osvdb.org/58836
- http://secunia.com/advisories/36996
- http://secunia.com/advisories/37913
- http://unbound.net/pipermail/unbound-users/2009-October/000852.html
- http://www.debian.org/security/2009/dsa-1963
- http://www.openwall.com/lists/oss-security/2009/10/09/2
- http://www.openwall.com/lists/oss-security/2009/10/09/3
- http://www.vupen.com/english/advisories/2009/2875
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53729