CVE-2012-1192 in Unboundinfo

Summary

by MITRE

The resolver in Unbound before 1.4.11 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/14/2019

The vulnerability identified as CVE-2012-1192 affects the Unbound DNS resolver version 1.4.10 and earlier, representing a critical flaw in DNS cache management that enables persistent resolution of revoked domain names. This issue stems from improper handling of cached data during DNS query processing, specifically when processing A record responses that inadvertently overwrite NS record cache entries with outdated information. The flaw creates a persistent state where revoked domains continue to resolve successfully despite their actual unavailability, fundamentally compromising the integrity of DNS resolution services.

The technical implementation of this vulnerability resides in the cache update mechanism within Unbound's resolver component, where the software fails to properly distinguish between different record types when updating cached entries. During normal DNS operations, when an A record query is processed, the resolver incorrectly updates cached NS records with stale server names and TTL values, effectively creating a "ghost domain" effect where malicious actors can maintain continued access to domains that have been revoked or removed from DNS servers. This behavior directly violates the expected DNS cache consistency model and creates a persistent security risk that can be exploited by remote attackers without authentication.

The operational impact of CVE-2012-1192 extends beyond simple DNS resolution issues, creating a significant attack surface for various malicious activities including phishing campaigns, malware distribution, and domain hijacking. Attackers can exploit this vulnerability to maintain continued access to revoked domains for extended periods, potentially bypassing security controls that depend on DNS-based reputation systems or domain validation mechanisms. The vulnerability enables persistent access to compromised domains through cache poisoning techniques that leverage the flawed cache update logic, making it particularly dangerous for organizations relying on DNS-based security controls and network monitoring systems. This issue affects the fundamental trust model of DNS resolution and can lead to prolonged exposure to malicious domains.

Organizations should immediately upgrade to Unbound version 1.4.11 or later to remediate this vulnerability, as no effective workarounds exist for the underlying cache management flaw. The fix implemented in version 1.4.11 addresses the core issue by properly isolating cache updates for different DNS record types and ensuring that NS record cache entries are not inadvertently overwritten during A record processing. Security administrators should also implement monitoring for unusual DNS resolution patterns and consider deploying DNS security extensions such as DNSSEC to provide additional protection layers against cache poisoning attacks. This vulnerability aligns with CWE-20, "Improper Input Validation," and represents a specific implementation weakness in DNS cache management that can be exploited through the ATT&CK technique of DNS Tunneling and Cache Poisoning. The remediation process requires careful testing to ensure that the upgrade does not introduce compatibility issues with existing DNS infrastructure while maintaining the integrity of legitimate DNS resolution services.

Reservation

02/17/2012

Disclosure

02/17/2012

Moderation

accepted

Entry

VDB-60243

CPE

ready

EPSS

0.01430

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!