A multi-vendor cache poisoning vulnerability named Rebirthday Attack has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., –enable-subnet, AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the send-client-subnet, client-subnet-zone or client-subnet-always-forward options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Weakness
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | RedHat | unbound-0:1.20.0-12.el10_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | unbound-0:1.16.2-5.9.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | unbound-0:1.7.3-12.el8_2.2 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | unbound-0:1.7.3-15.el8_4.2 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | unbound-0:1.7.3-15.el8_4.2 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | unbound-0:1.7.3-17.el8_6.6 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | unbound-0:1.7.3-17.el8_6.6 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | unbound-0:1.7.3-17.el8_6.6 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | unbound-0:1.16.2-5.el8_8.5 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | unbound-0:1.16.2-5.el8_8.5 | * |
| Red Hat Enterprise Linux 9 | RedHat | unbound-0:1.16.2-19.el9_6.1 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | unbound-0:1.13.1-13.el9_0.5 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | unbound-0:1.16.2-3.el9_2.5 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | unbound-0:1.16.2-8.el9_4.2 | * |
| Red Hat OpenShift Container Platform 4.12 | RedHat | rhcos-412.86.202510291903-0 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | rhcos-413.92.202510150118-0 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | rhcos-414.92.202510211419-0 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | rhcos-417.94.202510112152-0 | * |
| Red Hat OpenShift Container Platform 4.18 | RedHat | rhcos-418.94.202510230424-0 | * |
| Red Hat OpenShift Container Platform 4.19 | RedHat | rhcos-4.19.9.6.202510140714-0 | * |
| Red Hat OpenShift Container Platform 4.20 | RedHat | rhcos-4.20.9.6.202509251656-0 | * |
| Unbound | Ubuntu | devel | * |
| Unbound | Ubuntu | jammy | * |
| Unbound | Ubuntu | noble | * |
| Unbound | Ubuntu | plucky | * |
| Unbound | Ubuntu | questing | * |
| Unbound | Ubuntu | upstream | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/141.html
- https://cwe.mitre.org/data/definitions/142.html
- https://cwe.mitre.org/data/definitions/75.html