Huawei EulerOS Local Security Checks : Huawei EulerOS: Security Advisory for unbound (EulerOS-SA-2023-1156)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.2.2023.1156

Category: Huawei EulerOS Local Security Checks

Title: Huawei EulerOS: Security Advisory for unbound (EulerOS-SA-2023-1156)

Summary: The remote host is missing an update for the Huawei EulerOS 'unbound' package(s) announced via the EulerOS-SA-2023-1156 advisory.

Description: Summary:
The remote host is missing an update for the Huawei EulerOS 'unbound' package(s) announced via the EulerOS-SA-2023-1156 advisory.

Vulnerability Insight:
A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.(CVE-2022-3204)

Affected Software/OS:
'unbound' package(s) on Huawei EulerOS Virtualization release 2.10.1.

Solution:
Please install the updated package(s).

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2022-3204
https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/35QGS5FBQTG3DBSK7QV67PA64P24ABHY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S4EU6DMJXQFMAIE6SLAH4H5RNRU6VQL/
https://security.gentoo.org/glsa/202212-02
https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html

Copyright Copyright (C) 2023 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.2.2023.1156
Category:	Huawei EulerOS Local Security Checks
Title:	Huawei EulerOS: Security Advisory for unbound (EulerOS-SA-2023-1156)
Summary:	The remote host is missing an update for the Huawei EulerOS 'unbound' package(s) announced via the EulerOS-SA-2023-1156 advisory.
Description:	Summary: The remote host is missing an update for the Huawei EulerOS 'unbound' package(s) announced via the EulerOS-SA-2023-1156 advisory. Vulnerability Insight: A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.(CVE-2022-3204) Affected Software/OS: 'unbound' package(s) on Huawei EulerOS Virtualization release 2.10.1. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2022-3204 https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/35QGS5FBQTG3DBSK7QV67PA64P24ABHY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S4EU6DMJXQFMAIE6SLAH4H5RNRU6VQL/ https://security.gentoo.org/glsa/202212-02 https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html
Copyright	Copyright (C) 2023 Greenbone AG