Vulnerabilities > CVE-2009-3602 - Cryptographic Issues vulnerability in Nlnetlabs Unbound

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
nlnetlabs
CWE-310
nessus

Summary

Unbound before 1.3.4 does not properly verify signatures for NSEC3 records, which allows remote attackers to cause secure delegations to be downgraded via DNS spoofing or other DNS-related attacks in conjunction with crafted delegation responses.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_UNBOUND-100218.NASL
    descriptionUnbound did not check signatures on NSEC3 records which allowed attackers who could spoof DNS responses to bypass DNSSEC. (CVE-2009-3602: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P))
    last seen2020-06-01
    modified2020-06-02
    plugin id44682
    published2010-02-23
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44682
    titleopenSUSE Security Update : unbound (unbound-2015)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1963.NASL
    descriptionIt was discovered that Unbound, a DNS resolver, does not properly check cryptographic signatures on NSEC3 records. As a result, zones signed with the NSEC3 variant of DNSSEC lose their cryptographic protection. (An attacker would still have to carry out an ordinary cache poisoning attack to add bad data to the cache.)
    last seen2020-06-01
    modified2020-06-02
    plugin id44828
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44828
    titleDebian DSA-1963-1 : unbound - cryptographic implementation error
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_UNBOUND-100218.NASL
    descriptionUnbound did not check signatures on NSEC3 records which allowed attackers who could spoof DNS responses to bypass DNSSEC. (CVE-2009-3602: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P))
    last seen2020-06-01
    modified2020-06-02
    plugin id44685
    published2010-02-23
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44685
    titleopenSUSE Security Update : unbound (unbound-2015)
  • NASL familyDNS
    NASL idUNBOUND_1_3_4.NASL
    descriptionAccording to its self-reported version number, the remote Unbound DNS resolver is affected by a remote DNS spoofing vulnerability when verifying NSEC3 signatures.
    last seen2020-06-01
    modified2020-06-02
    plugin id106379
    published2018-01-26
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106379
    titleUnbound < 1.3.4 NSEC3 Signature Verification DNS Spoofing Vulnerability (CVE-2009-3602)