Login Sign Up

CVE-2019-25042

9.8 CRITICAL

📋 TL;DR

CVE-2019-25042 is an out-of-bounds write vulnerability in Unbound DNS resolver versions before 1.9.5, triggered by specially crafted compressed DNS names. The vulnerability could allow remote code execution, but the vendor disputes exploitability in real-world deployments. Organizations running vulnerable Unbound instances are affected.

💻 Affected Systems

Products:
  • Unbound DNS resolver
Versions: All versions before 1.9.5
Operating Systems: Linux, BSD, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: The vendor disputes that this is exploitable in running installations, but the vulnerability exists in the code.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Unbound by Nlnetlabs

View all CVEs affecting Unbound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, DNS cache poisoning, or denial of service.

🟠

Likely Case

Denial of service through Unbound crash, with potential for limited impact due to vendor's disputed exploitability claims.

🟢

If Mitigated

Minimal impact if patched or if vendor's assessment of non-exploitability is accurate.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

No public exploits known; vendor disputes practical exploitability despite CVSS 9.8 score.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.5 and later

Vendor Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2019-25042.txt

Restart Required: Yes

Instructions:

1. Download Unbound 1.9.5 or later from nlnetlabs.nl. 2. Stop Unbound service. 3. Install the new version. 4. Restart Unbound service.

🔧 Temporary Workarounds

Disable recursion for untrusted sources

linux

Configure Unbound to only allow recursive queries from trusted networks to reduce attack surface.

# Edit unbound.conf and set access-control: 192.168.0.0/16 allow
# Then restart: systemctl restart unbound

🧯 If You Can't Patch

  • Implement network segmentation to isolate Unbound servers from untrusted networks.
  • Deploy intrusion detection systems to monitor for anomalous DNS traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check Unbound version with 'unbound -V' or 'unbound -h' and verify it's below 1.9.5.

Check Version:

unbound -V

Verify Fix Applied:

Confirm version is 1.9.5 or higher using 'unbound -V' and ensure service is running without errors.

📡 Detection & Monitoring

Log Indicators:

  • Unbound crash logs, abnormal termination messages in system logs.

Network Indicators:

  • Unusual DNS queries with compressed names, spikes in malformed DNS traffic.

SIEM Query:

source="unbound.log" AND ("segmentation fault" OR "crash" OR "out-of-bounds")

📊 Metadata

CVE ID: CVE-2019-25042
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25042, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)