CVE-2017-15105
Published: 23 January 2018
A flaw was found in the way unbound before 1.6.8 validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.
From the Ubuntu Security Team
Ralph Dolmans and Karst Koymans discovered that Unbound did not properly handle certain NSEC records. An attacker could use this to to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick Unbound into accepting a NODATA proof.
Priority
Status
Package | Release | Status |
---|---|---|
unbound Launchpad, Ubuntu, Debian |
artful |
Released
(1.6.5-1ubuntu0.2)
|
bionic |
Released
(1.6.7-1ubuntu2.1)
|
|
trusty |
Released
(1.4.22-1ubuntu4.14.04.3)
|
|
upstream |
Released
(1.6.8)
|
|
xenial |
Released
(1.5.8-1ubuntu1.1)
|
|
Patches: upstream: https://unbound.net/downloads/patch_cve_2017_15105.diff |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |