Login Sign Up

CVE-2024-1931

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in NLnet Labs Unbound DNS resolver allows remote attackers to cause denial of service via an infinite loop when EDE (Extended DNS Error) records are enabled. The vulnerability affects Unbound servers with non-default 'ede: yes' configuration when clients advertise small buffer sizes. Only Unbound versions 1.18.0 through 1.19.1 are affected.

💻 Affected Systems

Products:
  • NLnet Labs Unbound
Versions: 1.18.0 through 1.19.1 inclusive
Operating Systems: Linux, FreeBSD, Other Unix-like systems running Unbound
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when 'ede: yes' is explicitly configured (non-default setting)

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Unbound by Nlnetlabs

View all CVEs affecting Unbound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of DNS resolution, potentially affecting all downstream services that rely on DNS lookups

🟠

Likely Case

Targeted DoS against vulnerable Unbound instances, causing DNS resolution failures for clients

🟢

If Mitigated

Minimal impact if EDE feature is disabled or systems are patched

🌐 Internet-Facing: HIGH - Unbound DNS servers are typically internet-facing and can be targeted remotely
🏢 Internal Only: MEDIUM - Internal DNS servers could be targeted by compromised internal systems

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Requires sending DNS queries to trigger the condition

Exploitation requires clients with small advertised buffer sizes and EDE records in responses

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.2 and later

Vendor Advisory: https://nlnetlabs.nl/news/2024/Jul/03/unbound-1.19.2-released/

Restart Required: Yes

Instructions:

1. Download Unbound 1.19.2 or later from nlnetlabs.nl 2. Stop Unbound service 3. Install/upgrade to patched version 4. Restart Unbound service

🔧 Temporary Workarounds

Disable EDE feature

linux

Remove or comment out 'ede: yes' configuration option

sed -i 's/^ede: yes$/# ede: yes/' /etc/unbound/unbound.conf
systemctl restart unbound

🧯 If You Can't Patch

  • Disable EDE feature in Unbound configuration
  • Implement network segmentation to limit access to Unbound servers

🔍 How to Verify

Check if Vulnerable:

Check Unbound version and configuration: 'unbound -V' and grep for 'ede: yes' in config files

Check Version:

unbound -V | grep version

Verify Fix Applied:

Verify version is 1.19.2 or later: 'unbound -V | grep version'

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Unbound process hanging
  • DNS query timeouts

Network Indicators:

  • Increased DNS query failures
  • Unusual DNS query patterns targeting EDE features

SIEM Query:

source="unbound.log" ("high cpu" OR "timeout" OR "loop")

📊 Metadata

CVE ID: CVE-2024-1931
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Published: March 7, 2024
Last Updated: December 17, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1931, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)