Unbound Rebirthday Attack Cache Poisoning Vulnerability

A cache poisoning vulnerability known as the 'Rebirthday Attack' has been identified in Unbound DNS resolver versions 1.6.2 prior to 1.23.0, when compiled with EDNS Client Subnet (ECS) support and configured to send ECS information to upstream name servers. This vulnerability allows a malicious actor to exploit the DNS transaction ID matching process, leading to the caching of non-ECS poisonous replies.

Impact

Exploitation of this vulnerability allows for cache poisoning, where malicious responses are cached by the DNS resolver, potentially leading to incorrect DNS resolution for users.

Reproduction

To reproduce this vulnerability, first ensure that Unbound is compiled with ECS support and is configured to send ECS information to upstream name servers. This can be done by enabling the 'send-client-subnet', 'client-subnet-zone', or 'client-subnet-always-forward' options. Once the resolver is configured, send queries that result in segregated ECS outbound traffic for a specific domain. Then, send non-ECS poisonous replies while attempting to guess the DNS transaction ID before the actual response from the upstream name server is received.

Remediation

Users can upgrade to Unbound version 1.23.1, which includes a fix for the Rebirthday Attack vulnerability. The patched version can be downloaded from the NLnet Labs Unbound download page. For users on Unbound 1.23.0, a manual patch is available and can be applied by following the provided instructions.