Re: CVE 2024 1931 - unbound

From: Gordon Tetlow <gordon_at_tetlows.org>
Date: Sun, 07 Jul 2024 22:48:36 UTC
> On Jul 3, 2024, at 9:00 PM, Wall, Stephen <stephen.wall@redcom.com> wrote:
> 
>> From: Dag-Erling Smørgrav <des@FreeBSD.org>
>> The base system unbound is meant to be used with a configuration generated by
>> `local-unbound-setup`, which never enables the `ede` option which is a
>> prerequisite for the DoS attack described in CVE-2024-1931.
> 
> Thanks for your reply.
> 
> Local_unbound_setup supports dropping additional config files in /var/unbound/conf.d, which will be loaded by unbound.  Files in this directory are not altered by local_unbound_setup.  This implies, to me, that customization of the base unbound is specifically supported, meaning any FreeBSD site could potentially have ede enabled, and therefore by vulnerable to this CVE.
> It's my opinion that this warrants at least an advisory cautioning users of FreeBSD not to enable ede, if not a patch to address it.

Local DoS’s do not get security advisories (logic here is a local user has a million ways to DoS a system). If the user has messed with the configuration of the local_unbound resolver to open it up to the network and get DoS’d from the remote network, I don’t feel this is something secteam is responsible for responding to.

Unbound exists as a port/pkg for the purposes of someone setting up a non-local resolver.

Best regards,
Gordon
Hat: security-officer