NLnet Labs Unbound Heap Overflow Vulnerability in EDNS Option Encoding

A heap overflow vulnerability has been identified in NLnet Labs Unbound versions 1.14.0 prior to 1.25.0. The issue arises when multiple NSID, DNS Cookie EDNS, and EDNS Padding options are encoded in the reply packet. Exploitation requires the relevant options to be enabled. An adversary can exploit this vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field allows the encoder to overflow the available space, leading to a heap overflow write of Unbound-controlled data, causing a crash.

Impact

Exploitation of this vulnerability causes a heap overflow, writing Unbound-controlled data, which eventually leads to a crash.

Remediation

Users can upgrade to Unbound version 1.25.1, which includes the necessary patch. For those using Unbound 1.25.0, a specific patch is available that addresses the vulnerability. Instructions for applying this patch are included in the Unbound 1.25.0 release notes.