Vulnerabilities > CVE-2009-4008 - Resource Management Errors vulnerability in Nlnetlabs Unbound

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
nlnetlabs
CWE-399
nessus

Summary

Unbound before 1.4.4 does not send responses for signed zones after mishandling an unspecified query, which allows remote attackers to cause a denial of service (DNSSEC outage) via a crafted query.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2243.NASL
    descriptionIt was discovered that Unbound, a caching DNS resolver, ceases to provide answers for zones signed using DNSSEC after it has processed a crafted query. (CVE-2009-4008 ) In addition, this update improves the level of DNSSEC support in the lenny version of Unbound so that it is possible for system administrators to configure the trust anchor for the root zone.
    last seen2020-03-17
    modified2011-06-10
    plugin id55031
    published2011-06-10
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55031
    titleDebian DSA-2243-1 : unbound - design flaw
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2243. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(55031);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2009-4008");
      script_xref(name:"DSA", value:"2243");
    
      script_name(english:"Debian DSA-2243-1 : unbound - design flaw");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Unbound, a caching DNS resolver, ceases to
    provide answers for zones signed using DNSSEC after it has processed a
    crafted query. (CVE-2009-4008 )
    
    In addition, this update improves the level of DNSSEC support in the
    lenny version of Unbound so that it is possible for system
    administrators to configure the trust anchor for the root zone."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2009-4008"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2011/dsa-2243"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the unbound packages.
    
    For the oldstable distribution (lenny), this problem has been fixed in
    version 1.4.6-1~lenny1.
    
    For the other distributions (squeeze, wheezy, sid), this problem has
    been fixed in version 1.4.4-1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:unbound");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/05/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"unbound", reference:"1.4.6-1~lenny1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDNS
    NASL idUNBOUND_1_4_4.NASL
    descriptionAccording to its self-reported version number, the remote Unbound DNS resolver is affected by a denial of service vulnerability due to a failure to send responses for signed zones after mishandling an unspecified query. An attacker can exploit this, via a crafted query, to cause a DNSSEC outage, resulting in a denial of service condition. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id55048
    published2011-06-10
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55048
    titleUnbound < 1.4.4 Unbound Signed Zone Query Response DNSSEC Outage DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(55048);
      script_version("1.6");
      script_cvs_date("Date: 2018/08/06 14:03:14");
    
      script_cve_id("CVE-2009-4008");
      script_bugtraq_id(48209);
    
      script_name(english:"Unbound < 1.4.4 Unbound Signed Zone Query Response DNSSEC Outage DoS");
      script_summary(english:"Checks version of Unbound.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote name server is affected by a denial of service
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the remote Unbound DNS
    resolver is affected by a denial of service vulnerability due to a
    failure to send responses for signed zones after mishandling an
    unspecified query. An attacker can exploit this, via a crafted query,
    to cause a DNSSEC outage, resulting in a denial of service condition.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number.");
      script_set_attribute(attribute:"solution", value:"Upgrade to Unbound version 1.4.4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/04/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/10");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:unbound:unbound");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"DNS");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("unbound_version.nasl");
      script_require_keys("unbound/version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    version = get_kb_item_or_exit("unbound/version");
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    fixed_version = "1.4.4";
    port = 53;
    
    tcp = get_kb_item("DNS/tcp/53");
    if (!isnull(tcp)) proto = "tcp";
    else proto = "udp"; # default
    
    # if version < 1.4.4
    if (
      version =~ "^0\." ||
      version =~ "^1\.[0-3]($|[^0-9])" ||
      version =~ "^1\.4(\.([0-3])(\.[0-9]+)*)?(([abp]|rc)[0-9]*)?$" ||
      version =~ "^1\.4\.4([ab]|rc)[0-9]*$"
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fixed_version +
          '\n';
        security_warning(port:port, proto:proto, extra:report);
      }
      else security_warning(port:port, proto:proto);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, 'Unbound', port, version);