CVE-2023-50387 and CVE-2023-50868
What is the plan to mitigate these two newly disclosed DNSSEC validation vulnerabilities which affects all well-known resolvers?
Unbound has released an update.
Pi-Hole has released an update.
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://www.athene-center.de/en/news/press/key-trap
https://seclists.org/oss-sec/2024/q1/125
-
"By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service."
This attack is more targeted at the well-known resolvers (which appears to be a much bigger problem), by slowing them down. Firewalla does use unbound; since the resolver service is LAN only, the only attack path is on the LAN itself. Which means the risk is very low. (meaning, someone on your LAN, with access to your network can easily DOS the router ... with or without this flaw)
We will update to 1.19.1 Unbound with the fix in the near future.
-
You're operating under the assumption that LAN environments are inherently secure and that threats predominantly originate from external sources. This assumption does not always hold true, especially in scenarios where devices within the LAN are compromised. The proliferation of smart devices and the increasing complexity of home and small office networks have expanded the attack surface, making internal threats a significant concern. Malicious software on a single device within the network can exploit the described vulnerability to conduct a Denial of Service attack, affecting the availability of network resources for all users.
Second, you're minimizing the potential impact of a DoS attack originating from within the LAN, suggesting that since an attacker needs LAN access, the risk is inherently low. This perspective does not fully account for the variety of ways in which an attacker can gain such access. Phishing attacks, weak Wi-Fi security practices, or exploiting other vulnerabilities within the network can provide malicious actors with the needed foothold. Once inside, the ability to disrupt the DNS resolution process can have serious implications, not only limiting internet access but also potentially enabling further exploits.
Moreover, the discussion around the use of unbound in a LAN-only configuration as a mitigating factor fails to consider the evolving nature of cyber threats. Attackers continuously refine their methods, and vulnerabilities thought to be of low risk can be chained with other exploits to enable more sophisticated attacks. The security of network infrastructure, especially components as critical as DNS resolvers, should not be underestimated, regardless of the perceived attack vector's immediacy.
So while the assertion that the risk is very low due to the attack path being limited to the LAN holds some merit, you're underestimating the complexity and dynamism of internal network threats. A comprehensive security strategy considers both external and internal threats, recognizing that the landscape of potential vulnerabilities is ever-changing. Ensuring robust security measures, including but not limited to network segmentation, strong authentication practices, and continuous monitoring for unusual network activity, can help mitigate the risks associated with such vulnerabilities.
C'est la vie.
Please sign in to leave a comment.
Comments
3 comments