unbound-1.19.0_1 is vulnerable: Oh yeah? :)

[skynetsense]

Just wondering if every update has this going on? I mean not exactly this, but you know what I mean. What's the solution to not having it every time? To update? Means to have a possibility of this. Not to update?  Update every so often? Any ideas? Because if this happens every time or every other time, kind of not confident about it, when the problem is broadcasted all around the world for everyone to see. All that they have to do is find who is using OPNSense, lol  Thanks  :D Because every time I post these, I feel like a person who says, by the way, there is a key from my house right there, just make sure you don't go in.


***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 24.1.1 at Wed Feb 14 18:48:09 PST 2024
Fetching vuln.xml.xz: .......... done
unbound-1.19.0_1 is vulnerable:
  DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities
  CVE: CVE-2023-50868
  CVE: CVE-2023-50387
  WWW: https://vuxml.freebsd.org/freebsd/21a854cc-cac1-11ee-b7a7-353f1e043d9a.html

[Patrick M. Hausen]

The new Unbound release and the corresponding CVE entry are from this Tuesday. What exactly do you expect?

[skynetsense]

Just tried to reply, was a one line only, so I probably messed up. It went somewhere else  :) Back to the subject, the purpose of me asking is to find the best way of going about it? Should I not update every update and wait for more stable versions instead ? I am really depending on working security. I had to reinstall a couple of times, which was a bit problematic, so whatever you can advise would be great. I think it makes more sense for me to wait than update and have to remedy or wait for patches in a compromised state. Your opinion?

[Patrick M. Hausen]

Update as soon as possible, i.e. when a fix for this is released.

All older versions suffer from the same vulnerability.

Then again this is not a big deal. Crafting a malicious DNS zone, then luring your users to actively lookup records in that zone to trigger a high CPU load on your device? If I wanted to DoS you, I'd buy a russian botnet for a handful of euros.

Disable DNSsec if you want to mitigate that at all cost.

You cannot expect a "CVE free all of the time" product. Only timely updates. And you need to assess these things and look if they affect you at all.

I will be doing exactly nothing about this and update to 24.1.2 when it is released.

[skynetsense]

Funny that you mentioned botnets. Lately I've been getting scanned by some Chang Way Technologies Co Limited, which seems to operate under said country's flag. A Chinese company operating out of RU.

[Patrick M. Hausen]

You are aware that OPNsense does not ship known vulnerable software? The last update did not cause/introduce this particular problem. 24.1.1 was published on February 6th assuming all components were good. This DNSsec problem had been there all the last years in all the prior versions but nobody knew.

We know since February, 13th. So now appropriate action can be taken and OPNsense updated. Again.

HTH,
Patrick

[skynetsense]

Thank you for taking your time to explain this :)

[Patrick M. Hausen]

You are welcome. I suspected that might not be perfectly clear because of your question if you should avoid updating.

The day an OPNsense release is shipped there are (normally) no known security vulnerabilities in the system.

Of course if you install or update one week later, there is some probability that new ones will have been discovered and published. The CVE database is not shipped with the OPNsense release. It's a world wide community database of all known security problems in all known software products.

When you run an audit in the UI that database is queried live for any new discoveries that might have been published since your specific OPNsense version was released.

I'm simplifying a bit, but that's it in a nutshell.

HTH,
Patrick