While X41 is still auditing, first results of are already making their way into the unbound codebase thanks to the diligent developers at NLNetLabs.
Today, another issue was resolved in unbound, that could lead to
remote code execution in case the ipsecmod module was enabled.
Eric Sesterhenn noticed a shell injection vulnerability when the ipsecmod
helper tool was executed via
This shell injection can be easily triggered by a malicious DNS response
packet. The unbound project already released an update for this issue and all users are encouraged to update to version 1.9.5. This issue is tracked via CVE-2019-18934
worker_handle_request() in file ‘daemon/worker.c’
does the high level parsing of incoming DNS requests. While extracting EDNS information
from the incoming packet, it will call
parse_edns_from_pkt() with a pointer to
the stack allocated struct
edns where EDNS data will be stored, if present.
edns is not initialized after declaration in
When the input packet has no valid EDNS data, some error paths in
still do not initialize
edns, and let
worker_handle_request() continue processing the request.
Just after calling
parse_edns_from_pkt(), EDNS processing branches
will be executed if
is still not initialized and contains whatever data was present in
the stack when it was declared. This effectively means
true even when the request contained no valid EDNS data.
If you are interested in working with us on such projects in the future, ping us!