CVE-2024-1488
📋 TL;DR
This CVE allows any local process to modify Unbound DNS resolver's runtime configuration via port 8953 due to incorrect default permissions. Attackers can alter DNS forwarders to intercept or disrupt DNS queries. Systems running vulnerable Unbound versions with default configurations are affected.
💻 Affected Systems
- Unbound DNS resolver
📦 What is this software?
Codeready Linux Builder Eus For Power Little Endian by Redhat
View all CVEs affecting Codeready Linux Builder Eus For Power Little Endian →
Codeready Linux Builder Eus For Power Little Endian by Redhat
View all CVEs affecting Codeready Linux Builder Eus For Power Little Endian →
Codeready Linux Builder For Arm64 by Redhat
Codeready Linux Builder For Arm64 by Redhat
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Ibm Z Systems by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems →
Codeready Linux Builder For Ibm Z Systems by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Unbound by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete DNS resolution disruption, DNS query interception leading to credential theft or malware distribution via DNS hijacking.
Likely Case
DNS query monitoring and potential redirection to malicious DNS servers for traffic interception.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized local connections.
🎯 Exploit Status
Exploitation requires local network access to port 8953 but no authentication. Simple network connection and configuration modification commands needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for patched versions (RHSA-2024:1750, RHSA-2024:1751, etc.)
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:1750
Restart Required: Yes
Instructions:
1. Update Unbound package using system package manager. 2. For RHEL: 'sudo yum update unbound'. 3. Restart Unbound service: 'sudo systemctl restart unbound'.
🔧 Temporary Workarounds
Restrict localhost access to control port
linuxConfigure Unbound to only allow connections from specific users/groups or disable remote control.
Edit /etc/unbound/unbound.conf
Add: control-interface: 127.0.0.1
Add: control-use-cert: yes
Set proper file permissions on config
Firewall restriction
linuxBlock unauthorized access to port 8953 using local firewall rules.
sudo iptables -A INPUT -p tcp --dport 8953 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8953 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Unbound from untrusted local processes.
- Monitor and alert on unauthorized connections to port 8953 using network monitoring tools.
🔍 How to Verify
Check if Vulnerable:
Check if Unbound is running and listening on port 8953: 'sudo netstat -tlnp | grep 8953' and verify config permissions.Check Version:
unbound -V or rpm -q unbound or dpkg -l unboundVerify Fix Applied:
Verify updated package version: 'rpm -q unbound' (RHEL) or equivalent, and test that unauthorized local connections to port 8953 are blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to port 8953 in system logs
- Unbound configuration changes in audit logs
Network Indicators:
- Unexpected traffic to/from port 8953
- DNS forwarder changes leading to unusual DNS patterns
SIEM Query:
source="unbound.log" AND ("connection refused" OR "unauthorized" OR "control") OR destination_port=8953 AND NOT source_ip=127.0.0.1🔗 References
- https://access.redhat.com/errata/RHSA-2024:1750
- https://access.redhat.com/errata/RHSA-2024:1751
- https://access.redhat.com/errata/RHSA-2024:1780
- https://access.redhat.com/errata/RHSA-2024:1801
- https://access.redhat.com/errata/RHSA-2024:1802
- https://access.redhat.com/errata/RHSA-2024:1804
- https://access.redhat.com/errata/RHSA-2024:2587
- https://access.redhat.com/errata/RHSA-2024:2696
- https://access.redhat.com/errata/RHSA-2025:0837
- https://access.redhat.com/security/cve/CVE-2024-1488
- https://bugzilla.redhat.com/show_bug.cgi?id=2264183
- https://access.redhat.com/errata/RHSA-2024:1750
- https://access.redhat.com/errata/RHSA-2024:1751
- https://access.redhat.com/errata/RHSA-2024:1780
- https://access.redhat.com/errata/RHSA-2024:1801
- https://access.redhat.com/errata/RHSA-2024:1802
- https://access.redhat.com/errata/RHSA-2024:1804
- https://access.redhat.com/errata/RHSA-2024:2587
- https://access.redhat.com/errata/RHSA-2024:2696
- https://access.redhat.com/security/cve/CVE-2024-1488
- https://bugzilla.redhat.com/show_bug.cgi?id=2264183
