Qifan Zhang

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A NULL pointer dereference can occur during the decryption of password-encrypted Cryptographic Message Syntax (CMS) messages. The issue arises because the OpenSSL CMS implementation dereferences the `PasswordRecipientInfo.keyDerivationAlgorithm` field without verifying its presence, despite it being defined as optional in the ASN.1 specification. An attacker can exploit this by providing a specially crafted CMS message, causing the application to crash and resulting in a Denial of Service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions 1.19.1 through 1.25.0 **Description** A flaw in the DNSSEC validator allows for denial of service and potential remote code execution. The issue occurs during the deep copying of a data structure when DS sub-queries suspend validation due to NSEC3 computational budget exhaustion. A struct-assignment bug causes the destination pointer to be overwritten by the source pointer. When the sub-query region is subsequently freed, the resumed validator dereferences this dangling pointer, which can lead to a system crash or arbitrary code execution. An attacker can trigger this by controlling a malicious signed zone and querying the affected system. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** Unbound versions 1.16.2 through 1.25.0 **Description** An issue exists within the ghost domain names family of attacks that allows an adversary who controls a ghost zone and can query the system to extend the ghost domain window by up to one cached TTL configured value. A single client NS query can cause the software to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset, utilizing the `cache-max-ttl` value. In configurations where `harden-referral-path: yes` is enabled, the issue can occur without a client NS query as the system performs that query implicitly. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions prior to 1.25.1 **Description** An issue exists related to the parsing of long lists of incoming EDNS (Extension Mechanisms for DNS) options. An adversary can send queries containing an excessive number of EDNS options, causing Unbound threads to be held hostage while parsing and creating internal data structures. Coordinated attacks of this nature can lead to service degradation or a denial of service. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions prior to 1.25.1 **Description** An issue exists in the jostle logic that can degrade resolution performance. When the `num-queries-per-thread` limit is reached, the jostle logic identifies slow-resolving queries for replacement. However, duplicate queries for the same resolution effort update the timestamp to the latest request rather than maintaining the original start time. This skews the aging process, preventing the system from correctly identifying and replacing aged queries. An attacker capable of querying the system and controlling a slow or malicious domain name server can exploit this to degrade performance, potentially leading to a denial of resolution service. Cache and local data response performance are not affected. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions 1.14.0 through 1.25.0 **Description** A heap overflow occurs when encoding multiple NSID, DNS Cookie EDNS, and EDNS Padding options in a reply packet. This happens because a flaw in the size calculation of the EDNS field truncates the correct value, allowing the encoder to overflow the available space when writing Unbound controlled data, which can lead to a crash. For this to be exploited, the options `nsid`, `answer-cookie`, and `pad-responses` must be enabled. An attacker can trigger this by attaching multiple NSID, DNS Cookie EDNS, or EDNS Padding options to a query. **Recommendations** Update to version 1.25.1. As a temporary workaround, disable the `nsid`, `answer-cookie`, or `pad-responses` options to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions prior to 1.25.1 **Description** A denial of service issue exists in the DNSSEC validator. When constructing chase-reply messages for validation, the software uses an incorrect counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication can increase the ANSWER section count, while authority filtering can decrease the AUTHORITY section count, creating an uninitialized array slot. The validator subsequently dereferences this uninitialized pointer, leading to a process crash. An attacker controlling a DNSSEC-signed domain can trigger this by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records along with signed ADDITIONAL glue records. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions prior to 1.25.1 **Description** An issue exists when handling replies with very large RRsets (Resource Record sets) that require name compression. Malicious upstream responses containing very large RRsets with records that do not share a suffix above the root can cause the system to spend excessive time applying name compression to downstream replies. This can lead to degraded performance and denial of service. An adversary can trigger this by querying for specially crafted contents of a malicious zone. The process involves an unbounded operation that can lock the CPU until the packet is complete because the compression counter is not incremented when a compression tree lookup fails. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions 1.14.0 through 1.25.0 **Description** A locking inconsistency occurs when specific conditions are met: the system is multi-threaded, an RPZ (Response Policy Zone) XFR (Zone Transfer) reload is performed, and an RPZ zone contains `rpz-nsip` or `rpz-nsdname` triggers. If an XFR occurs while another thread is reading the RPZ zone, the reader may not hold the lock sufficiently, allowing the thread applying the XFR to free objects that the reader is accessing. This leads to a heap use-after-free (a situation where a program continues to use a pointer after it has been freed), which can result in a crash. Local RPZ files do not trigger this issue. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions prior to 1.25.1 **Description** A flaw in the DNSSEC validator occurs when the code path used to consult the negative cache for DS records ignores the limit on NSEC3 hash calculations. An attacker controlling a DNSSEC signed zone can exploit this by signing NSEC3 records with high iterations for child delegations and querying the system. This causes the software to perform excessive hash calculations, holding a global lock for the negative cache and blocking other threads. This results in service degradation and can lead to a denial of service through coordinated attacks. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** Knot Resolver versions prior to 5.6.0 **Description** The issue enables attackers to consume the resolver's resources, launching amplification attacks and potentially causing a denial of service. A single client query may lead to a hundred TCP connection attempts if a DNS server closes connections without providing a response. **Recommendations** For versions prior to 5.6.0, update to version 5.6.0 or later to resolve the issue.