CVE-2019-25040 – Unbound DNS resolver versions before 1.9.5 cont... (How to Fix)

Q: What is the severity of CVE-2019-25040?

CVE-2019-25040 has a CVSS score of 7.5 (HIGH). Unbound DNS resolver versions before 1.9.5 contain a vulnerability where specially crafted DNS responses with compressed domain names can trigger an infinite loop in the dname_pkt_copy function. This affects systems running vulnerable Unbound installations as DNS resolvers. The vendor disputes exploitability, stating running installations cannot be remotely or locally exploited.

📋 TL;DR

Unbound DNS resolver versions before 1.9.5 contain a vulnerability where specially crafted DNS responses with compressed domain names can trigger an infinite loop in the dname_pkt_copy function. This affects systems running vulnerable Unbound installations as DNS resolvers. The vendor disputes exploitability, stating running installations cannot be remotely or locally exploited.

💻 Affected Systems

Products:

Unbound DNS resolver

Versions: All versions before 1.9.5

Operating Systems: Linux, BSD, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Unbound installations configured as DNS resolvers. The vendor disputes that running installations can be exploited.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Unbound by Nlnetlabs

View all CVEs affecting Unbound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing Unbound process to hang indefinitely, disrupting DNS resolution for dependent systems and services.

🟠

Likely Case

Process hangs requiring manual restart, causing temporary DNS resolution failure until service recovery.

🟢

If Mitigated

Minimal impact with proper monitoring and restart mechanisms in place.

🌐 Internet-Facing: MEDIUM - Unbound resolvers exposed to internet could receive malicious DNS responses, but vendor disputes exploitability.

🏢 Internal Only: LOW - Internal DNS traffic is typically more controlled, reducing exposure to malicious responses.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires ability to send malicious DNS responses to Unbound resolver. Vendor disputes exploitability of running installations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.5 and later

Vendor Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2019-25040.txt

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download Unbound 1.9.5 or later from nlnetlabs.nl. 3. Stop Unbound service. 4. Install new version. 5. Restart Unbound service. 6. Verify service is running and resolving correctly.

🔧 Temporary Workarounds

Restrict DNS sources

linux

Configure Unbound to only accept DNS queries from trusted sources using access-control settings.

# In unbound.conf: access-control: 192.168.0.0/16 allow
# access-control: 10.0.0.0/8 allow

Implement process monitoring

linux

Set up monitoring to detect and automatically restart Unbound if it becomes unresponsive.

# Example systemd service with restart: Restart=always
# RestartSec=10

🧯 If You Can't Patch

Implement strict network controls to limit which systems can send DNS responses to Unbound
Deploy monitoring with automatic restart capabilities for Unbound service

🔍 How to Verify

Check if Vulnerable:

Check Unbound version: unbound -V | grep version. If version is earlier than 1.9.5, system is vulnerable.

Check Version:

unbound -V | grep version

Verify Fix Applied:

After patching, verify version is 1.9.5 or later with: unbound -V | grep version

📡 Detection & Monitoring

Log Indicators:

Unbound process hanging with high CPU usage
DNS resolution failures in application logs
Service restart events in system logs

Network Indicators:

Increased DNS query timeouts
DNS resolution failures from clients

SIEM Query:

source="unbound.log" ("error" OR "failed" OR "timeout") AND "dname_pkt_copy"

📊 Metadata

CVE ID: CVE-2019-25040

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: April 27, 2021

Last Updated: November 21, 2024

🔗 References

https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html Mailing List,Third Party Advisory
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210507-0007/ Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html Mailing List,Third Party Advisory
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210507-0007/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25040, you might also want to check these: