CVE-2022-30699
published 2022-08-01CVE-2022-30699: NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.85%
53.6th percentile
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | unbound | < unbound 1.16.2-1 (bookworm) | unbound 1.16.2-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_unbound_1.16.2-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_unbound_1.10.0-5_on_cbl_mariner_1.0 | — | — |
| nlnet_labs | unbound | unspecified – 1.16.1 | — |
| nlnetlabs | unbound | < 1.16.2 | 1.16.2 |
| nlnetlabs | unbound | >= 0 < 1.13.1-1+deb11u1 | 1.13.1-1+deb11u1 |
| nlnetlabs | unbound | >= 0 < 1.16.2-1 | 1.16.2-1 |
| nlnetlabs | unbound | >= 0 < 1.16.2-1 | 1.16.2-1 |
| nlnetlabs | unbound | >= 0 < 1.16.2-1 | 1.16.2-1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2022-08-16
CVE-2022-30699 Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Unbound could be made to cache rogue domain names.
Xiang Li discovered that Unbound incorrectly handled delegation caching.
A remote attacker could use this issue to keep rogue domain names
resolvable long after they have been revoked.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Novel "ghost domain names" attack by updating almost expired delegation information
vendor_msrc·2022-08-09·CVSS 6.5
CVE-2022-30699 [MEDIUM] CWE-613 Novel "ghost domain names" attack by updating almost expired delegation information
Novel "ghost domain names" attack by updating almost expired delegation information
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
NLnet Labs: NLnet Labs
Customer Action Required: Yes
Remediation: CBL-Mari
Red Hat
unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
vendor_redhat·2022-08-01·CVSS 6.5
CVE-2022-30699 [MEDIUM] CWE-613 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time
Debian
CVE-2022-30699: unbound - NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel...
vendor_debian·2022·CVSS 6.5
CVE-2022-30699 [MEDIUM] CVE-2022-30699: unbound - NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel...
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.
Scope: local
bookworm: re
GHSA
GHSA-fjfh-84xh-5hv3: NLnet Labs Unbound, up to and including version 1
ghsa_unreviewed·2022-08-02
CVE-2022-30699 [MEDIUM] CWE-613 GHSA-fjfh-84xh-5hv3: NLnet Labs Unbound, up to and including version 1
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.
OSV
CVE-2022-30699: NLnet Labs Unbound, up to and including version 1
osv·2022-08-01·CVSS 6.5
CVE-2022-30699 [MEDIUM] CVE-2022-30699: NLnet Labs Unbound, up to and including version 1
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.debian.org/debian-lts-announce/2023/03/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD/https://security.gentoo.org/glsa/202212-02https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txthttps://lists.debian.org/debian-lts-announce/2023/03/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD/https://security.gentoo.org/glsa/202212-02https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt
2022-08-01
Published