Re: CVE 2024 1931 - unbound
- Reply: Wall, Stephen: "RE: CVE 2024 1931 - unbound"
- In reply to: Wall, Stephen: "RE: CVE 2024 1931 - unbound"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 07 Jul 2024 22:48:36 UTC
> On Jul 3, 2024, at 9:00 PM, Wall, Stephen <stephen.wall@redcom.com> wrote: > >> From: Dag-Erling Smørgrav <des@FreeBSD.org> >> The base system unbound is meant to be used with a configuration generated by >> `local-unbound-setup`, which never enables the `ede` option which is a >> prerequisite for the DoS attack described in CVE-2024-1931. > > Thanks for your reply. > > Local_unbound_setup supports dropping additional config files in /var/unbound/conf.d, which will be loaded by unbound. Files in this directory are not altered by local_unbound_setup. This implies, to me, that customization of the base unbound is specifically supported, meaning any FreeBSD site could potentially have ede enabled, and therefore by vulnerable to this CVE. > It's my opinion that this warrants at least an advisory cautioning users of FreeBSD not to enable ede, if not a patch to address it. Local DoS’s do not get security advisories (logic here is a local user has a million ways to DoS a system). If the user has messed with the configuration of the local_unbound resolver to open it up to the network and get DoS’d from the remote network, I don’t feel this is something secteam is responsible for responding to. Unbound exists as a port/pkg for the purposes of someone setting up a non-local resolver. Best regards, Gordon Hat: security-officer