NLnet Labs Unbound DNSSEC Validator Denial-of-Service and Remote Code Execution Vulnerability

A vulnerability in the DNSSEC validator of NLnet Labs Unbound versions 1.19.1 prior to 1.25.0 allows for denial-of-service and potentially remote code execution. This issue arises from the deep copying of a data structure, which incorrectly overwrites a destination pointer. An adversary can exploit this vulnerability by manipulating a malicious signed zone and querying a vulnerable Unbound server. When DS sub-queries must pause validation due to NSEC3 computational budget limits (a feature introduced in Unbound 1.19.1), Unbound deep-copies response messages to maintain them across memory region cleanups. However, a struct-assignment error replaces the destination pointer with that of the source. Once the sub-query memory region is released, the validation process resumes by dereferencing this dangling pointer, leading to a crash or potentially allowing arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a crash or enable arbitrary code execution on the affected Unbound server.

Remediation

Users can upgrade to Unbound version 1.25.1, which includes the necessary fix. This version can be downloaded from the NLnet Labs Unbound download page. For users currently on Unbound 1.25.0, a specific patch is available and can be applied manually. Instructions for applying this patch are also provided on the NLnet Labs Unbound download page.