Contents
1. CVE-2022-30698
Two vulnerabilities have been discovered in Unbound: CVE-2022-30698 and CVE-2022-30699.
(Unboundの不良、二件)
1.1. Summary
1.1.1. CVE-2022-30698
Unbound prior to 1.16.2 allows malicious users to trigger continued resolvability of malicious domain names, even after their revocation from the parent zone, via a novel type of the "ghost domain names" attack that targets child-centric DNS resolvers.
1.1.2. CVE-2022-30699
Unbound prior to 1.16.2 allows malicious users to trigger continued resolvability of malicious domain names, even after their revocation from the parent zone, via a novel type of the "ghost domain names" attack that targets child-centric DNS resolvers.
1.2. Affected products
Unbound up to and including 1.16.1.
1.3. Description
1.3.1. CVE-2022-30698
The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a malicious domain name.
The malicious nameserver returns delegation information for the subdomain that updates Unbound's delegation cache.
This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain for which the malicious nameserver provides new delegation information.
Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a malicious domain name resolvable long after revocation, bypassing the take down action from the parent zone operator.
From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.
1.3.2. CVE-2022-30699
The vulnerability works by targeting an Unbound instance. Unbound is queried for a malicious domain name when the cached delegation information is about to expire.
The malicious nameserver delays the response so that the cached delegation information is expired.
Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries.
This action can be repeated when the delegation information is about to expire making the malicious delegation information ever-updating, bypassing the take down action from the parent zone operator.
From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.
1.4. Solution
Install Unbound version 1.16.2 or later.
1.5. Acknowledgments
We would like to thank Xiang Li from the Network and Information Security Lab of Tsinghua University for discovering and disclosing the vulnerabilities.