CVE-2022-3204

NameCVE-2022-3204
DescriptionA vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3371-1, ELA-820-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unbound (PTS)jessie, jessie (lts)1.4.22-3+deb8u4vulnerable
stretch1.6.0-3+deb9u2vulnerable
buster (security), buster, buster (lts)1.9.0-2+deb10u4fixed
bullseye1.13.1-1+deb11u2fixed
bullseye (security)1.13.1-1+deb11u3fixed
bookworm (security), bookworm1.17.1-2+deb12u2fixed
sid, trixie1.22.0-1fixed
unbound1.9 (PTS)stretch (security)1.9.0-2+deb10u2~deb9u2vulnerable
stretch (lts), stretch1.9.0-2+deb10u2~deb9u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unboundsourcejessie(unfixed)end-of-life
unboundsourcestretch(unfixed)end-of-life
unboundsourcebuster1.9.0-2+deb10u3DLA-3371-1
unboundsourcebullseye1.13.1-1+deb11u1
unboundsource(unstable)1.16.3-1
unbound1.9sourcestretch1.9.0-2+deb10u2~deb9u3ELA-820-1
unbound1.9source(unstable)(unfixed)

Notes

https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt
Fixed by: https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554 (release-1.16.3)

Search for package or bug name: Reporting problems