Login Sign Up

CVE-2019-25034

9.8 CRITICAL

📋 TL;DR

CVE-2019-25034 is an integer overflow vulnerability in Unbound DNS resolver's sldns_str2wire_dname_buf_origin function that can lead to out-of-bounds writes. This affects Unbound installations before version 1.9.5. The vendor disputes exploitability, stating running installations cannot be remotely or locally exploited despite the code vulnerability.

💻 Affected Systems

Products:
  • Unbound DNS resolver
Versions: All versions before 1.9.5
Operating Systems: Linux, BSD, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vendor disputes exploitability of running installations, but vulnerable code exists in affected versions.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Unbound by Nlnetlabs

View all CVEs affecting Unbound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerability is exploitable despite vendor claims.

🟠

Likely Case

Denial of service through Unbound crash or memory corruption, potentially disrupting DNS resolution services.

🟢

If Mitigated

Limited impact due to vendor's assertion that running installations cannot be exploited, though code remains vulnerable.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

No known exploits; vendor disputes practical exploitability despite CVSS 9.8 score.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.5 and later

Vendor Advisory: https://nlnetlabs.nl/projects/unbound/download/

Restart Required: Yes

Instructions:

1. Download Unbound 1.9.5 or later from official repository. 2. Stop Unbound service. 3. Install updated version. 4. Restart Unbound service.

🔧 Temporary Workarounds

Network segmentation

linux

Restrict access to Unbound instances to trusted networks only

iptables -A INPUT -p tcp --dport 53 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 53 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j DROP
iptables -A INPUT -p udp --dport 53 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Monitor Unbound logs for abnormal behavior or crashes

🔍 How to Verify

Check if Vulnerable:

Check Unbound version with 'unbound -V' or 'unbound -h' and verify it's below 1.9.5

Check Version:

unbound -V

Verify Fix Applied:

Confirm version is 1.9.5 or higher using 'unbound -V' command

📡 Detection & Monitoring

Log Indicators:

  • Unbound process crashes
  • Memory allocation errors in system logs
  • DNS resolution failures

Network Indicators:

  • Unusual DNS query patterns
  • Connection attempts to Unbound on port 53 from untrusted sources

SIEM Query:

source="unbound.log" AND ("segmentation fault" OR "out of bounds" OR "integer overflow")

📊 Metadata

CVE ID: CVE-2019-25034
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: April 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25034, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)