Unbound - CVE-2023-50387 and CVE-2023-50868

johnpoz

@coxhaus While I haven't spent much time looking into this.. I have browsed over some of the info, and it seems this is more of an issue for public resolvers..

For this to happen, your resolver would have to query a bad domain. Why would it do that unless one of your clients asked for it?

Sure one of your clients that knows a bad site to query, could query your unbound and cause the problem.. But why/how would one of your clients do that? Guess they could go to some other bad site that has a link to one of these bad sites and then your client would query your dns for it.

if that is something your worried about, the simple mitigation is to just turn off dnssec in unbound. There is no reason to forward, just turn off dnssec if your concerned.

I personally have not done this, I am not too concerned that one of my devices on my network would query such a domain to cause this problem.. Is there even any out there? I have not seen a score assigned to these cve's as of yet.. The write ups I have read, don't list any active exploits as of yet, etc.

And while such a dos to a public resolver could be bad, and some bad actor might think hey lets take down X resolver, etc.. I don't see that happening with my local resolver.. And if it did, it would be simple enough to mitigate.. And I would be more interested in the client on my network doing it and tracking them down, or what sites might have instigated the client to do the query, etc.

While sure its good to be informed on such issues, I don't see anything requiring immediate action on my part, nor do I personally think it requires me to disable dnssec or forward on the off chance, etc.. But you do you.

Gertjan

[23.09.1-RELEASE][root@pfSense.bhf.tld]/root: pkg upgrade
Updating pfSense-core repository catalogue...
Fetching meta.conf:   0%
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf:   0%
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (19 candidates): 100%     19 B   0.0kB/s    00:01
Processing candidates (19 candidates): 100%     19 B   0.0kB/s    00:01
The following 2 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
        curl: 8.5.0 -> 8.6.0 [pfSense]
        unbound: 1.18.0_1 -> 1.19.1 [pfSense] 

Number of packages to be upgraded: 2

3 MiB to be downloaded.

Proceed with this action? [y/N]: y

MoonKnight

@Gertjan

Number of packages to be upgraded: 2

3 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/2] Fetching unbound-1.19.1.pkg: 100%    1 MiB   1.5MB/s    00:01    
[2/2] Fetching curl-8.6.0.pkg: 100%    1 MiB   1.2MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/2] Upgrading unbound from 1.18.0_1 to 1.19.1...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[1/2] Extracting unbound-1.19.1: 100%
unbound-1.18.0_1: missing file /usr/local/man/man1/unbound-host.1.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/libunbound.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_cancel.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_add_ta.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_add_ta_file.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_async.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_config.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_create.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_data_add.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_data_remove.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_debuglevel.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_debugout.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_delete.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_get_option.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_hosts.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_print_local_zones.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_resolvconf.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_set_fwd.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_set_option.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_trustedkeys.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_zone_add.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_ctx_zone_remove.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_fd.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_poll.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_process.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_resolve.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_resolve_async.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_resolve_free.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_result.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_strerror.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man3/ub_wait.3.gz
unbound-1.18.0_1: missing file /usr/local/man/man5/unbound.conf.5.gz
unbound-1.18.0_1: missing file /usr/local/man/man8/unbound-anchor.8.gz
unbound-1.18.0_1: missing file /usr/local/man/man8/unbound-checkconf.8.gz
unbound-1.18.0_1: missing file /usr/local/man/man8/unbound-control-setup.8.gz
unbound-1.18.0_1: missing file /usr/local/man/man8/unbound-control.8.gz
unbound-1.18.0_1: missing file /usr/local/man/man8/unbound.8.gz
[2/2] Upgrading curl from 8.5.0 to 8.6.0...
[2/2] Extracting curl-8.6.0: 100%
[23.09.1-RELEASE][admin@pfSense.home.arpa]/root: 

johnpoz

@MoonKnight are you asking why those are missing, or you just showing that you updated? None of the packages that pf installs include the man pages that I am aware of..

Possible that they forgot to update the pkg list of what is included so it doesn't show that?

MoonKnight

@johnpoz
hehe I was in a hurry. Just posted the output, probably nothing special, like you say :)

TheNarc

@MoonKnight I got the same output, but 1.19.1 started fine with no warnings/errors in the log output when I restarted the service.

tinfoilmatt

@TheNarc same. and successful package update notice printed to the System log:

2024-03-06 10:58:05.404047-05:00 	pkg-static 	80765 	unbound upgraded: 1.18.0_1 -> 1.19.1

thanks (and to @MoonKnight as well) for the upgrade confidence nudge.

bmeeks

@johnpoz said in Unbound - CVE-2023-50387 and CVE-2023-50868:

Possible that they forgot to update the pkg list of what is included so it doesn't show that?

Yes. Those files are generated for use when you consult man pages from the CLI. But none of the pfSense packages are compiled with those pages in order to save space. Normally there is a command added to the Makefile for the package that suppresses generation of the man pages. Apparently that got left out of the pfSense build (those man pages default to "on" in the normal FreeBSD ports tree).

Not having the files is harmless.

Edit: checked GitHub, and in this particular case it seems a change was made to the location where the man files (docs) were to be stored. Here is the commit: https://github.com/pfsense/FreeBSD-ports/commit/0abb4aa51d10dadd60c11278b91616d1f689f8ac. Apparently something is either not finished in the change or the location is wrong.

pfpv

@Gertjan said in Unbound - CVE-2023-50387 and CVE-2023-50868:

[23.09.1-RELEASE][root@pfSense.bhf.tld]/root: pkg upgrade

Should we all run this package upgrade?

bmeeks

@pfpv said in Unbound - CVE-2023-50387 and CVE-2023-50868:

@Gertjan said in Unbound - CVE-2023-50387 and CVE-2023-50868:

[23.09.1-RELEASE][root@pfSense.bhf.tld]/root: pkg upgrade

Should we all run this package upgrade?

Depends upon whether you think your network is really vulnerable to the exploit described in the CVE reports.

For my case, with a home LAN, I'm just waiting until I update to pfSense Plus 24.03 in the future as I suspect it is going to be released soon. If I ran a business critical network that was perhaps vulnerable to the CVE exploits, then I would update.