NLnet Labs Unbound Authority Section Cache Poisoning Vulnerability

A cache poisoning vulnerability has been identified in NLnet Labs Unbound DNS resolver versions prior to and including 1.25.0. The issue arises from the handling of promiscuous resource record sets (RRSets) in the authority section of DNS replies. An adversary can exploit this vulnerability by injecting RRSets, such as MX records, that are accompanied by address records in the additional section. This can be done through spoofed reply packets or fragmentation attacks. Unbound may cache these injected records if the authority RRSets are deemed trustworthy, leading to potential misuse of the cached data.

Impact

Exploitation of this vulnerability allows for cache poisoning, where malicious DNS records are introduced and stored in Unbound's cache, potentially leading to incorrect DNS resolution.

Remediation

Users can upgrade to Unbound version 1.25.1, which includes a fix for this vulnerability by disregarding irrelevant address records from the additional section. For those using Unbound 1.25.0, a manual patch is available and can be applied by following the provided instructions.