{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3204", "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "assignerShortName": "NLnet Labs", "dateUpdated": "2024-09-17T03:19:03.035Z", "dateReserved": "2022-09-13T00:00:00", "datePublished": "2022-09-26T13:41:46.275188Z"}, "containers": {"cna": {"title": "NRDelegation Attack", "datePublic": "2022-09-21T00:00:00", "providerMetadata": {"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "shortName": "NLnet Labs", "dateUpdated": "2023-03-29T00:00:00"}, "descriptions": [{"lang": "en", "value": "A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records."}], "affected": [{"vendor": "NLnet Labs", "product": "Unbound", "versions": [{"version": "unspecified", "lessThanOrEqual": "1.16.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt"}, {"name": "FEDORA-2022-1326d2815c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/"}, {"name": "FEDORA-2022-164cf7837e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35QGS5FBQTG3DBSK7QV67PA64P24ABHY/"}, {"name": "FEDORA-2022-204ee3da84", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4EU6DMJXQFMAIE6SLAH4H5RNRU6VQL/"}, {"name": "GLSA-202212-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202212-02"}, {"name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"}], "credits": [{"lang": "en", "value": "We would like to thank Yehuda Afek from Tel-Aviv University, Anat Bremler-Barr and Shani Stajnrod from Reichman University for discovering and disclosing the vulnerability."}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:00:10.542Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-1326d2815c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/"}, {"name": "FEDORA-2022-164cf7837e", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35QGS5FBQTG3DBSK7QV67PA64P24ABHY/"}, {"name": "FEDORA-2022-204ee3da84", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4EU6DMJXQFMAIE6SLAH4H5RNRU6VQL/"}, {"name": "GLSA-202212-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202212-02"}, {"name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*", "matchCriteriaId": "29711F1A-F741-4BF9-AF71-03A2C21B0F1E", "versionEndIncluding": "1.16.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad denominada \"Non-Responsive Delegation Attack\" (NRDelegation Attack) en varios programas de resoluci\u00f3n de DNS. El ataque NRDelegation funciona teniendo una delegaci\u00f3n maliciosa con un n\u00famero considerable de servidores de nombre que no responden. El ataque comienza al consultar a un resolver un registro que depende de esos servidores de nombre que no responden. El ataque puede causar que un resolver gaste mucho tiempo/recursos resolviendo registros bajo un punto de delegaci\u00f3n malicioso donde reside un n\u00famero considerable de registros NS que no responden. Puede desencadenar un alto uso de la CPU en algunas implementaciones del resolver que buscan continuamente en la cach\u00e9 los registros NS resueltos en esa delegaci\u00f3n. Esto puede conllevar a una degradaci\u00f3n del rendimiento y, eventualmente, una denegaci\u00f3n de servicio en ataques orquestados. Unbound no sufre un alto uso de la CPU, pero los recursos siguen siendo necesarios para resolver la delegaci\u00f3n maliciosa. Unbound seguir\u00e1 intentando resolver el registro hasta que sean alcanzados los l\u00edmites establecidos. Seg\u00fan la naturaleza del ataque y las respuestas, pueden alcanzarse diferentes l\u00edmites. A partir de la versi\u00f3n 1.16.3, Unbound introduce correcciones para mejorar el rendimiento cuando est\u00e1 bajo carga, al recortar las consultas oportunistas para la detecci\u00f3n de servidores de nombres y la precarga de DNSKEY y limitando el n\u00famero de veces que un punto de delegaci\u00f3n puede emitir una b\u00fasqueda en la cach\u00e9 para los registros faltantes.\n"}], "id": "CVE-2022-3204", "lastModified": "2023-11-07T03:50:58.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-26T14:15:11.007", "references": [{"source": "sep@nlnetlabs.nl", "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"}, {"source": "sep@nlnetlabs.nl", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35QGS5FBQTG3DBSK7QV67PA64P24ABHY/"}, {"source": "sep@nlnetlabs.nl", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/"}, {"source": "sep@nlnetlabs.nl", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4EU6DMJXQFMAIE6SLAH4H5RNRU6VQL/"}, {"source": "sep@nlnetlabs.nl", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202212-02"}, {"source": "sep@nlnetlabs.nl", "tags": ["Vendor Advisory"], "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt"}], "sourceIdentifier": "sep@nlnetlabs.nl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2771", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "unbound-0:1.16.2-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:2045", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "unbound-0:1.7.3-17.el8_6.5", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-04-25T00:00:00Z"}, {"advisory": "RHSA-2023:2370", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "unbound-0:1.16.2-3.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack)", "id": "2128947", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128947"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.", "A vulnerability was found in unbound. The attack can cause a resolver to spend a lot of time and resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. This issue can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, leading to degraded performance and, eventually, a denial of service in orchestrated attacks."], "name": "CVE-2022-3204", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "unbound", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "unbound", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "unbound", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "unbound", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "unbound", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-09-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3204\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3204\nhttps://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt"], "threat_severity": "Moderate", "upstream_fix": "unbound 1.16.3"}