A multi-vendor cache poisoning vulnerability named Rebirthday Attack has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., –enable-subnet, AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the send-client-subnet, client-subnet-zone or client-subnet-always-forward options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | RedHat | unbound-0:1.20.0-12.el10_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | unbound-0:1.16.2-5.9.el8_10 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | unbound-0:1.16.2-5.el8_8.5 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | unbound-0:1.16.2-5.el8_8.5 | * |
| Red Hat Enterprise Linux 9 | RedHat | unbound-0:1.16.2-19.el9_6.1 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | unbound-0:1.13.1-13.el9_0.5 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | unbound-0:1.16.2-3.el9_2.5 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | unbound-0:1.16.2-8.el9_4.2 | * |
| Unbound | Ubuntu | devel | * |
| Unbound | Ubuntu | jammy | * |
| Unbound | Ubuntu | noble | * |
| Unbound | Ubuntu | plucky | * |
| Unbound | Ubuntu | upstream | * |