CVE-2022-30698
published 2022-08-01CVE-2022-30698: NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.85%
53.6th percentile
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | unbound | < unbound 1.16.2-1 (bookworm) | unbound 1.16.2-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_unbound_1.16.2-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_unbound_1.10.0-5_on_cbl_mariner_1.0 | — | — |
| nlnet_labs | unbound | unspecified – 1.16.1 | — |
| nlnetlabs | unbound | < 1.16.2 | 1.16.2 |
| nlnetlabs | unbound | >= 0 < 1.13.1-1+deb11u1 | 1.13.1-1+deb11u1 |
| nlnetlabs | unbound | >= 0 < 1.16.2-1 | 1.16.2-1 |
| nlnetlabs | unbound | >= 0 < 1.16.2-1 | 1.16.2-1 |
| nlnetlabs | unbound | >= 0 < 1.16.2-1 | 1.16.2-1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2022-08-16
CVE-2022-30699 Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Unbound could be made to cache rogue domain names.
Xiang Li discovered that Unbound incorrectly handled delegation caching.
A remote attacker could use this issue to keep rogue domain names
resolvable long after they have been revoked.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Novel "ghost domain names" attack by introducing subdomain delegations
vendor_msrc·2022-08-09·CVSS 6.5
CVE-2022-30698 [MEDIUM] CWE-613 Novel "ghost domain names" attack by introducing subdomain delegations
Novel "ghost domain names" attack by introducing subdomain delegations
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
NLnet Labs: NLnet Labs
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Red Hat
unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
vendor_redhat·2022-08-01·CVSS 6.5
CVE-2022-30698 [MEDIUM] CWE-613 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revoca
Debian
CVE-2022-30698: unbound - NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel ...
vendor_debian·2022·CVSS 6.5
CVE-2022-30698 [MEDIUM] CVE-2022-30698: unbound - NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel ...
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation i
GHSA
GHSA-297v-qp46-84h5: NLnet Labs Unbound, up to and including version 1
ghsa_unreviewed·2022-08-02
CVE-2022-30698 [MEDIUM] CWE-613 GHSA-297v-qp46-84h5: NLnet Labs Unbound, up to and including version 1
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation i
OSV
CVE-2022-30698: NLnet Labs Unbound, up to and including version 1
osv·2022-08-01·CVSS 6.5
CVE-2022-30698 [MEDIUM] CVE-2022-30698: NLnet Labs Unbound, up to and including version 1
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation i
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.debian.org/debian-lts-announce/2023/03/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD/https://security.gentoo.org/glsa/202212-02https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txthttps://lists.debian.org/debian-lts-announce/2023/03/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD/https://security.gentoo.org/glsa/202212-02https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt
2022-08-01
Published