Vulnerabilities > CVE-2009-4008 - Resource Management Errors vulnerability in Nlnetlabs Unbound
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Unbound before 1.4.4 does not send responses for signed zones after mishandling an unspecified query, which allows remote attackers to cause a denial of service (DNSSEC outage) via a crafted query.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2243.NASL description It was discovered that Unbound, a caching DNS resolver, ceases to provide answers for zones signed using DNSSEC after it has processed a crafted query. (CVE-2009-4008 ) In addition, this update improves the level of DNSSEC support in the lenny version of Unbound so that it is possible for system administrators to configure the trust anchor for the root zone. last seen 2020-03-17 modified 2011-06-10 plugin id 55031 published 2011-06-10 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55031 title Debian DSA-2243-1 : unbound - design flaw code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2243. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(55031); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2009-4008"); script_xref(name:"DSA", value:"2243"); script_name(english:"Debian DSA-2243-1 : unbound - design flaw"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that Unbound, a caching DNS resolver, ceases to provide answers for zones signed using DNSSEC after it has processed a crafted query. (CVE-2009-4008 ) In addition, this update improves the level of DNSSEC support in the lenny version of Unbound so that it is possible for system administrators to configure the trust anchor for the root zone." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-4008" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2011/dsa-2243" ); script_set_attribute( attribute:"solution", value: "Upgrade the unbound packages. For the oldstable distribution (lenny), this problem has been fixed in version 1.4.6-1~lenny1. For the other distributions (squeeze, wheezy, sid), this problem has been fixed in version 1.4.4-1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:unbound"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2011/05/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"unbound", reference:"1.4.6-1~lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family DNS NASL id UNBOUND_1_4_4.NASL description According to its self-reported version number, the remote Unbound DNS resolver is affected by a denial of service vulnerability due to a failure to send responses for signed zones after mishandling an unspecified query. An attacker can exploit this, via a crafted query, to cause a DNSSEC outage, resulting in a denial of service condition. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 55048 published 2011-06-10 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55048 title Unbound < 1.4.4 Unbound Signed Zone Query Response DNSSEC Outage DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55048); script_version("1.6"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_cve_id("CVE-2009-4008"); script_bugtraq_id(48209); script_name(english:"Unbound < 1.4.4 Unbound Signed Zone Query Response DNSSEC Outage DoS"); script_summary(english:"Checks version of Unbound."); script_set_attribute(attribute:"synopsis", value: "The remote name server is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the remote Unbound DNS resolver is affected by a denial of service vulnerability due to a failure to send responses for signed zones after mishandling an unspecified query. An attacker can exploit this, via a crafted query, to cause a DNSSEC outage, resulting in a denial of service condition. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"solution", value:"Upgrade to Unbound version 1.4.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/27"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/10"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"cpe", value:"cpe:/a:unbound:unbound"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"DNS"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("unbound_version.nasl"); script_require_keys("unbound/version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("unbound/version"); if (report_paranoia < 2) audit(AUDIT_PARANOID); fixed_version = "1.4.4"; port = 53; tcp = get_kb_item("DNS/tcp/53"); if (!isnull(tcp)) proto = "tcp"; else proto = "udp"; # default # if version < 1.4.4 if ( version =~ "^0\." || version =~ "^1\.[0-3]($|[^0-9])" || version =~ "^1\.4(\.([0-3])(\.[0-9]+)*)?(([abp]|rc)[0-9]*)?$" || version =~ "^1\.4\.4([ab]|rc)[0-9]*$" ) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_warning(port:port, proto:proto, extra:report); } else security_warning(port:port, proto:proto); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, 'Unbound', port, version);