CVE-2014-8602
published 2014-12-11CVE-2014-8602: iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU…
PriorityP430medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
25.20%
97.7th percentile
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | unbound | < unbound 1.4.22-3 (bookworm) | unbound 1.4.22-3 (bookworm) |
| nlnetlabs | unbound | <= 1.5.0 | — |
| nlnetlabs | unbound | >= 0 < 1.4.22-3 | 1.4.22-3 |
| nlnetlabs | unbound | >= 0 < 1.4.22-3 | 1.4.22-3 |
| nlnetlabs | unbound | >= 0 < 1.4.22-3 | 1.4.22-3 |
| nlnetlabs | unbound | >= 0 < 1.4.22-3 | 1.4.22-3 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rmpj-rcj8-qh82: iterator
ghsa_unreviewed·2022-05-17
CVE-2014-8602 [MEDIUM] GHSA-rmpj-rcj8-qh82: iterator
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
OSV
CVE-2014-8602: iterator
osv·2014-12-11·CVSS 4.3
CVE-2014-8602 [MEDIUM] CVE-2014-8602: iterator
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
Ubuntu
Unbound vulnerability
vendor_ubuntu·2015-01-26
CVE-2014-8602 Unbound vulnerability
Title: Unbound vulnerability
Summary: Unbound could be made to consume resources if it received specially crafted
network traffic.
Florian Maury discovered that Unbound incorrectly handled delegation. A
remote attacker could possibly use this issue to cause Unbound to consume
resources, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
BSD
FreeBSD-SA-14:30.unbound: unbound remote denial of service vulnerability
bsd_advisories·2014-12-17·CVSS 4.3
CVE-2014-8602 [MEDIUM] FreeBSD-SA-14:30.unbound: unbound remote denial of service vulnerability
FreeBSD-SA-14:30.unbound Security Advisory
The FreeBSD Project
Topic: unbound remote denial of service vulnerability
Category: contrib
Module: unbound
Announced: 2014-12-17
Affects: FreeBSD 10.0-RELEASE and later
Credits: Florian Maury (ANSSI)
Corrected: 2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE)
2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2)
2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14)
CVE Name: CVE-2014-8602
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Unbound is a validating, recursive, and caching DNS resolver.
II. Problem Description
By causing queries to be made against a maliciously-constructed zone or
against a mal
Red Hat
unbound: specially crafted request can lead to denial of service
vendor_redhat·2014-12-08·CVSS 4.3
CVE-2014-8602 [MEDIUM] CWE-770 unbound: specially crafted request can lead to denial of service
unbound: specially crafted request can lead to denial of service
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources.
Debian
CVE-2014-8602: unbound - iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining...
vendor_debian·2014·CVSS 4.3
CVE-2014-8602 [MEDIUM] CVE-2014-8602: unbound - iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining...
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
Scope: local
bookworm: resolved (fixed in 1.4.22-3)
bullseye: resolved (fixed in 1.4.22-3)
forky: resolved (fixed in 1.4.22-3)
sid: resolved (fixed in 1.4.22-3)
trixie: resolved (fixed in 1.4.22-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-8602 unbound: specially crafted request can lead to denial of service
bugzilla·2014-12-09·CVSS 4.3
CVE-2014-8602 [MEDIUM] CVE-2014-8602 unbound: specially crafted request can lead to denial of service
CVE-2014-8602 unbound: specially crafted request can lead to denial of service
It was reported [1] that unbound resolver can be tricked into following an endless series of delegations, this consumes a lot of resources.
A patch is available that limits the number of fetches performed for a query [2].
According to the timestamps on https://unbound.net/downloads/, this is fixed in https://unbound.net/downloads/unbound-latest.tar.gz
No official release was made though.
[1]: https://unbound.net/downloads/CVE-2014-8602.txt
[2]: http://unbound.net/downloads/patch_cve_2014_8602.diff
Discussion:
Created unbound tracking bugs for this issue:
Affects: fedora-all [bug 1172066]
Affects: epel-all [bug 1172067]
---
Advisory from the original reporter ANSSI, the French Network and Information Secu
Bugzilla
CVE-2014-8602 unbound: specially crafted request can lead to denial of service [fedora-all]
bugzilla·2014-12-09·CVSS 4.3
CVE-2014-8602 [MEDIUM] CVE-2014-8602 unbound: specially crafted request can lead to denial of service [fedora-all]
CVE-2014-8602 unbound: specially crafted request can lead to denial of service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2014-8602 unbound: specially crafted request can lead to denial of service [epel-all]
bugzilla·2014-12-09·CVSS 4.3
CVE-2014-8602 [MEDIUM] CVE-2014-8602 unbound: specially crafted request can lead to denial of service [epel-all]
CVE-2014-8602 unbound: specially crafted request can lead to denial of service [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.htmlhttp://unbound.net/downloads/patch_cve_2014_8602.diffhttp://www.debian.org/security/2014/dsa-3097http://www.kb.cert.org/vuls/id/264212http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.securityfocus.com/bid/71589http://www.ubuntu.com/usn/USN-2484-1https://unbound.net/downloads/CVE-2014-8602.txthttp://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.htmlhttp://unbound.net/downloads/patch_cve_2014_8602.diffhttp://www.debian.org/security/2014/dsa-3097http://www.kb.cert.org/vuls/id/264212http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.securityfocus.com/bid/71589http://www.ubuntu.com/usn/USN-2484-1https://unbound.net/downloads/CVE-2014-8602.txt
2014-12-11
Published