CVE-2022-30699

01.08.2022, 15:15

NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Affected Products (NVD)

Vendor	Product	Version
nlnetlabs	unbound	𝑥 < 1.16.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

unbound

bookworm	1.17.1-2+deb12u2 fixed
bookworm (security)	1.17.1-2+deb12u2 fixed
bullseye	1.13.1-1+deb11u2 fixed
bullseye (security)	1.13.1-1+deb11u3 fixed
sid	1.22.0-1 fixed
trixie	1.22.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

unbound

bionic	Fixed 1.6.7-1ubuntu2.5 released
focal	Fixed 1.9.4-2ubuntu1.3 released
jammy	Fixed 1.13.1-1ubuntu5.1 released
kinetic	Fixed 1.16.2-1 released
lunar	Fixed 1.16.2-1 released
mantic	Fixed 1.16.2-1 released
noble	Fixed 1.16.2-1 released
trusty	needed
xenial	needed

openSUSE / SLES Releases

openSUSE Product

Release

libunbound8

suse enterprise desktop 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise desktop 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise desktop 15 SP7	1.20.0-150600.23.3.1 fixed
suse enterprise sap 15 SP2	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP3	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP4	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise sap 15 SP7	1.20.0-150600.23.3.1 fixed
suse enterprise server 15 SP2	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP3	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP4	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise server 15 SP7	1.20.0-150600.23.3.1 fixed

unbound-anchor

suse enterprise desktop 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise desktop 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise desktop 15 SP7	1.20.0-150600.23.3.1 fixed
suse enterprise sap 15 SP2	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP3	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP4	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise sap 15 SP7	1.20.0-150600.23.3.1 fixed
suse enterprise server 15 SP2	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP3	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP4	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise server 15 SP7	1.20.0-150600.23.3.1 fixed

unbound-devel

suse enterprise desktop 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise desktop 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise desktop 15 SP7	1.20.0-150600.23.3.1 fixed
suse enterprise sap 15 SP2	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP3	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP4	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise sap 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise sap 15 SP7	1.20.0-150600.23.3.1 fixed
suse enterprise server 15 SP2	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP3	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP4	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP5	1.20.0-150100.10.13.1 fixed
suse enterprise server 15 SP6	1.20.0-150600.23.3.1 fixed
suse enterprise server 15 SP7	1.20.0-150600.23.3.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

python3-unbound

RHEL 8	0:1.16.2-2.el8 fixed
RHEL 8.6 AUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 E4S	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 EUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 TUS	0:1.7.3-17.el8_6.5 fixed
RHEL 9	0:1.16.2-2.el9 fixed

unbound

RHEL 8	0:1.16.2-2.el8 fixed
RHEL 8.6 AUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 E4S	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 EUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 TUS	0:1.7.3-17.el8_6.5 fixed
RHEL 9	0:1.16.2-2.el9 fixed

unbound-devel

RHEL 8	0:1.16.2-2.el8 fixed
RHEL 8.6 AUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 E4S	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 EUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 TUS	0:1.7.3-17.el8_6.5 fixed
RHEL 9	0:1.16.2-2.el9 fixed

unbound-libs

RHEL 8	0:1.16.2-2.el8 fixed
RHEL 8.6 AUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 E4S	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 EUS	0:1.7.3-17.el8_6.5 fixed
RHEL 8.6 TUS	0:1.7.3-17.el8_6.5 fixed
RHEL 9	0:1.16.2-2.el9 fixed

Common Weakness Enumeration

CWE-613 - Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD/

https://security.gentoo.org/glsa/202212-02

https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt

https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD/

https://security.gentoo.org/glsa/202212-02

https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt