CVE-2024-33655Uncontrolled Resource Consumption in Unbound

CWE-400Uncontrolled Resource Consumption8 documents8 sources
Severity
7.5HIGHNVD
EPSS
3.9%
top 11.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nlnetlabs Unbound
Timeline
PublishedJun 6
Latest updateJun 11

Description

The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

Debiannlnetlabs/unbound< 1.13.1-1+deb11u5+3

🔴Vulnerability Details

3
OSV
CVE-2024-33655: The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to b2024-06-06
GHSA
GHSA-2xh4-pf7v-vh6h: The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to b2024-06-06
CVEList
CVE-2024-33655: The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to b2024-06-06

📋Vendor Advisories

4
Microsoft
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds such that responses are 2024-06-11
Ubuntu
Unbound vulnerability2024-05-28
Red Hat
unbound: DNSBomb vulnerability2024-05-09
Debian
CVE-2024-33655: unbound - The DNS protocol in RFC 1035 and updates allows remote attackers to cause a deni...2024
CVE-2024-33655 — Uncontrolled Resource Consumption | cvebase