Login Sign Up

CVE-2019-25036

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2019-25036 is an assertion failure vulnerability in Unbound DNS resolver's synth_cname function that can cause denial of service. The vendor disputes exploitability, stating running installations cannot be exploited remotely or locally. Systems running Unbound DNS resolver before version 1.9.5 are affected.

💻 Affected Systems

Products:
  • Unbound DNS resolver
Versions: All versions before 1.9.5
Operating Systems: Linux, Unix-like systems, Any OS running Unbound
Default Config Vulnerable: ⚠️ Yes
Notes: Vendor disputes practical exploitability of running installations.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Unbound by Nlnetlabs

View all CVEs affecting Unbound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unbound DNS resolver crashes due to assertion failure, causing complete DNS resolution failure for dependent services.

🟠

Likely Case

Denial of service through service crash if vulnerable code path is triggered, though vendor disputes practical exploitability.

🟢

If Mitigated

Minimal impact with proper monitoring and restart mechanisms in place.

🌐 Internet-Facing: LOW - Vendor disputes remote exploitability and no public exploits exist.
🏢 Internal Only: LOW - Vendor disputes local exploitability and requires specific conditions to trigger.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

No known exploits in the wild. Vendor disputes exploitability of running installations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.5 and later

Vendor Advisory: https://nlnetlabs.nl/projects/unbound/download/

Restart Required: Yes

Instructions:

1. Download Unbound 1.9.5 or later from official repository. 2. Stop Unbound service: 'systemctl stop unbound'. 3. Install updated version using package manager or compile from source. 4. Start Unbound service: 'systemctl start unbound'.

🔧 Temporary Workarounds

Restrict DNS queries

all

Limit DNS queries to trusted sources to reduce attack surface

Configure access-control in unbound.conf: access-control: 192.168.1.0/24 allow

🧯 If You Can't Patch

  • Implement monitoring and automatic restart for Unbound service
  • Deploy redundant DNS resolvers to maintain service availability

🔍 How to Verify

Check if Vulnerable:

Check Unbound version: 'unbound -V' or 'unbound -h' and verify if version is below 1.9.5

Check Version:

unbound -V

Verify Fix Applied:

Run 'unbound -V' and confirm version is 1.9.5 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unbound service crashes
  • Assertion failure messages in logs
  • DNS resolution failures

Network Indicators:

  • DNS query timeouts
  • Increased DNS failure rates

SIEM Query:

source="unbound.log" AND ("assertion failure" OR "crash" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2019-25036
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: April 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25036, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)