Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
unbound-1.19.0_1 is vulnerable: Oh yeah? :)
« previous
next »
Print
Pages: [
1
]
Author
Topic: unbound-1.19.0_1 is vulnerable: Oh yeah? :) (Read 1490 times)
skynetsense
Newbie
Posts: 8
Karma: 0
unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
on:
February 15, 2024, 04:00:33 am »
Just wondering if every update has this going on? I mean not exactly this, but you know what I mean. What's the solution to not having it every time? To update? Means to have a possibility of this. Not to update? Update every so often? Any ideas? Because if this happens every time or every other time, kind of not confident about it, when the problem is broadcasted all around the world for everyone to see. All that they have to do is find who is using OPNSense, lol Thanks
Because every time I post these, I feel like a person who says, by the way, there is a key from my house right there, just make sure you don't go in.
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 24.1.1 at Wed Feb 14 18:48:09 PST 2024
Fetching vuln.xml.xz: .......... done
unbound-1.19.0_1 is vulnerable:
DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities
CVE: CVE-2023-50868
CVE: CVE-2023-50387
WWW:
https://vuxml.FreeBSD.org/freebsd/21a854cc-cac1-11ee-b7a7-353f1e043d9a.html
«
Last Edit: February 15, 2024, 04:14:58 am by skynetsense
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
Reply #1 on:
February 15, 2024, 07:15:23 am »
The new Unbound release and the corresponding CVE entry are from this Tuesday. What exactly do you expect?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
skynetsense
Newbie
Posts: 8
Karma: 0
Re: unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
Reply #2 on:
February 15, 2024, 07:43:38 am »
Just tried to reply, was a one line only, so I probably messed up. It went somewhere else
Back to the subject, the purpose of me asking is to find the best way of going about it? Should I not update every update and wait for more stable versions instead ? I am really depending on working security. I had to reinstall a couple of times, which was a bit problematic, so whatever you can advise would be great. I think it makes more sense for me to wait than update and have to remedy or wait for patches in a compromised state. Your opinion?
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
Reply #3 on:
February 15, 2024, 07:51:22 am »
Update as soon as possible, i.e. when a fix for this is released.
All older versions suffer from the same vulnerability.
Then again this is not a big deal. Crafting a malicious DNS zone, then luring your users to actively lookup records in that zone to trigger a high CPU load on your device? If I wanted to DoS you, I'd buy a russian botnet for a handful of euros.
Disable DNSsec if you want to mitigate that at all cost.
You cannot expect a "CVE free all of the time" product. Only timely updates. And you need to assess these things and look if they affect you at all.
I will be doing exactly nothing about this and update to 24.1.2 when it is released.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
skynetsense
Newbie
Posts: 8
Karma: 0
Re: unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
Reply #4 on:
February 15, 2024, 08:03:29 am »
Funny that you mentioned botnets. Lately I've been getting scanned by some Chang Way Technologies Co Limited, which seems to operate under said country's flag. A Chinese company operating out of RU.
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
Reply #5 on:
February 15, 2024, 08:29:52 am »
You are aware that OPNsense does not ship known vulnerable software? The last update did not cause/introduce this particular problem. 24.1.1 was published on February 6th assuming all components were good. This DNSsec problem had been there all the last years in all the prior versions but nobody knew.
We know since February, 13th. So now appropriate action can be taken and OPNsense updated. Again.
HTH,
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
skynetsense
Newbie
Posts: 8
Karma: 0
Re: unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
Reply #6 on:
February 15, 2024, 08:33:40 am »
Thank you for taking your time to explain this
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: unbound-1.19.0_1 is vulnerable: Oh yeah? :)
«
Reply #7 on:
February 15, 2024, 09:37:04 am »
You are welcome. I suspected that might not be perfectly clear because of your question if you should avoid updating.
The day an OPNsense release is shipped there are (normally) no known security vulnerabilities in the system.
Of course
if you install or update one week later, there is
some probability that new ones will have been discovered and published
. The CVE database is not shipped with the OPNsense release. It's a world wide community database of all known security problems in all known software products.
When you run an audit in the UI that database is queried live for any new discoveries that might have been published since your specific OPNsense version was released.
I'm simplifying a bit, but that's it in a nutshell.
HTH,
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
unbound-1.19.0_1 is vulnerable: Oh yeah? :)