Bug 278870

Summary: dns/unbound: Uodate to 1.20.0
Product: Ports & Packages Reporter: Jaap Akkerhuis <jaap>
Component: Individual Port(s)Assignee: Fernando Apesteguía <fernape>
Status: Closed FIXED    
Severity: Affects Many People CC: fernape, freebsdbugzilla, ports-secteam
Priority: --- Flags: fernape: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-released/
Attachments:
Description Flags
Patch to update jaap: maintainer-approval+

Description Jaap Akkerhuis 2024-05-09 12:48:59 UTC 
Created attachment 250545 [details]
Patch to update

This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much.

To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down.

Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAMEs. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anchor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anchor needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead of the opposite.

The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl but not specifically for negative responses.

The option cachedb-check-when-serve-expired option makes Unbound use cachedb to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default.

The -q option for unbound-checkconf can be added to silence it when there are no errors.

Summary of the DNSBomb vulnerability CVE-2024-33655.
The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.

Unbound itself is not vulnerable for DoS, rather it can be used to take part in a pulsing DoS amplification attack.

Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers.

Affected products
Unbound up to and including 1.19.3.

Description of CVE-2024-33655
The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses.

From version 1.20.0 on, Unbound introduces a couple of configuration options to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience:

* discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts.

* wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits.

* wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies.

The options above are trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers.

Acknowledgements
We would like to thank Xiang Li from the Network and Information Security Lab of Tsinghua University for discovering and disclosing the attack.

For a full list of changes, binary and source packages, see the
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0.
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2024-05-10 06:34:59 UTC 
Reminder to self: add entry to VuXML
Comment 2 Fernando Apesteguía freebsd_committer freebsd_triage 2024-05-10 18:00:33 UTC 
Committed,

Thanks!
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-05-10 18:01:03 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a478d4b5e7ef58c06031c2e6802dc2a64bd5f4e9

commit a478d4b5e7ef58c06031c2e6802dc2a64bd5f4e9
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2024-05-10 06:37:00 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2024-05-10 17:59:57 +0000

    dns/unbound: Uodate to 1.20.0

    ChangeLog: https://nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-released/

    Summary of the DNSBomb vulnerability CVE-2024-33655.
    The DNSBomb attack, via specially timed DNS queries and answers, can cause a
    Denial of Service on resolvers and spoofed targets.

    Unbound itself is not vulnerable for DoS, rather it can be used to take part in
    a pulsing DoS amplification attack.

    PR:             278870
    Reported by:    jaap@NLnetLabs.nl (maintainer)
    Security:       CVE-2024-33655

 dns/unbound/Makefile  | 2 +-
 dns/unbound/distinfo  | 6 +++---
 dns/unbound/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
Comment 4 Laurent Frigault 2024-05-30 11:38:14 UTC 
(In reply to commit-hook from comment #3)

Any idea when this commit will be in the branch (probably 2024Q2 ?) used by package build ?
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-05-30 14:01:23 UTC 
A commit in branch 2024Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3ab8e5ac0ada9e596702896dda8bb8cd44d0b2ef

commit 3ab8e5ac0ada9e596702896dda8bb8cd44d0b2ef
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2024-05-10 06:37:00 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2024-05-30 14:00:56 +0000

    dns/unbound: Uodate to 1.20.0

    ChangeLog: https://nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-released/

    Summary of the DNSBomb vulnerability CVE-2024-33655.
    The DNSBomb attack, via specially timed DNS queries and answers, can cause a
    Denial of Service on resolvers and spoofed targets.

    Unbound itself is not vulnerable for DoS, rather it can be used to take part in
    a pulsing DoS amplification attack.

    PR:             278870
    Reported by:    jaap@NLnetLabs.nl (maintainer)
    Security:       CVE-2024-33655

    (cherry picked from commit a478d4b5e7ef58c06031c2e6802dc2a64bd5f4e9)

 dns/unbound/Makefile  | 2 +-
 dns/unbound/distinfo  | 6 +++---
 dns/unbound/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
Comment 6 Fernando Apesteguía freebsd_committer freebsd_triage 2024-05-30 14:01:31 UTC 
(In reply to Laurent Frigault from comment #4)
Done.

Thanks for the remainder!