#VU29236 OS Command Injection in Unbound - CVE-2019-18934


Vulnerability identifier: #VU29236

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-18934

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Unbound
Server applications / DNS servers

Vendor: NLnet Labs

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the ipsec module. A remote attacker can pass specially crafted input to the application and execute arbitrary commands on the system.

Successful exploitation of he vulnerability requires that unbound is compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Unbound: 1.6.4 rc1 - 1.9.4

External links
https://www.openwall.com/lists/oss-security/2019/11/19/1
https://github.com/NLnetLabs/unbound/blob/release-1.9.5/doc/Changelog
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MOCR6JP7MSRARTOGEHGST64G4FJGX5VK/
https://www.nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt
https://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 20.03 LTS update for unbound
OpenSUSE Linux update for unbound
OpenSUSE Linux update for unbound
Red Hat Enterprise Linux 8 update for unbound
Fedora 31 update for unbound
Fedora 30 update for unbound
OS Command Injection in unbound (Alpine package)
Remote command execution in Unbound