CVE-2019-18934

Published: Nov 19, 2019Modified: Nov 21, 2024

7.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability: 3.9 / Impact: 3.4

Source: NVD

Description

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.

Affected (4)

Products: Nlnetlabs: Unbound · Fedoraproject: Fedora · Opensuse: Leap

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nlnetlabs Unbound	From 1.6.4 to 1.9.4

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 31

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.1
Opensuse Leap	Version 15.2

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (14)

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2019/11/19/1

Source: cve@mitre.org

ExploitMailing ListThird Party Advisory

https://github.com/NLnetLabs/unbound/blob/release-1.9.5/doc/Changelog

Source: cve@mitre.org

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCR6JP7MSRARTOGEHGST64G4FJGX5VK/

Source: cve@mitre.org

https://www.nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt

Source: cve@mitre.org

PatchVendor Advisory

https://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released/

Source: cve@mitre.org

Release NotesVendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2019/11/19/1

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

https://github.com/NLnetLabs/unbound/blob/release-1.9.5/doc/Changelog

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCR6JP7MSRARTOGEHGST64G4FJGX5VK/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.