CVE-2024-33655

The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue.

Read the notes from the security team

Why is this CVE low priority?

Upstream Unbound project has rated this as having a low security impact.

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
unbound	24.10 oracular	Fixed 1.20.0-1ubuntu1
	24.04 LTS noble	Fixed 1.19.2-1ubuntu3.1
	23.10 mantic	Fixed 1.17.1-2ubuntu0.2
	22.04 LTS jammy	Fixed 1.13.1-1ubuntu5.5
	20.04 LTS focal	Fixed 1.9.4-2ubuntu1.6
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Ignored end of ESM support, was needs-triage

Notes

mdeslaur

Unbound itself is not vulnerable to the DNSBomb attack, but can be used to participate in one. The commit below adds some new options to make the impact from Unbound significantly lower. Backporting the commit to mantic and lower is intrusive and may introduce regressions.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
unbound	Upstream: c3206f4

References

Related Ubuntu Security Notices (USN)

USN-6791-1
Unbound vulnerability
28 May 2024