CVE-2022-3204 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-3204 Interim 1 14 2023-09-06T23:34:13Z current 2022-09-22T23:36:12Z 2023-09-06T23:34:13Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-3204 A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 6 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP4 SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP4 openSUSE Tumbleweed libunbound2 libunbound8-1.16.3-1.1 python3-unbound-1.16.3-1.1 unbound unbound-1.16.3-1.1 unbound-anchor unbound-anchor-1.16.3-1.1 unbound-devel unbound-devel-1.16.3-1.1 unbound-munin-1.16.3-1.1 unbound-python libunbound8-1.16.3-1.1 as a component of openSUSE Tumbleweed python3-unbound-1.16.3-1.1 as a component of openSUSE Tumbleweed unbound-1.16.3-1.1 as a component of openSUSE Tumbleweed unbound-anchor-1.16.3-1.1 as a component of openSUSE Tumbleweed unbound-devel-1.16.3-1.1 as a component of openSUSE Tumbleweed unbound-munin-1.16.3-1.1 as a component of openSUSE Tumbleweed unbound as a component of SUSE Enterprise Storage 6 libunbound2 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 unbound-anchor as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 unbound-devel as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 unbound as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 libunbound2 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 unbound-anchor as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 unbound-devel as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 unbound as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 unbound as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 unbound-python as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 unbound as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 unbound-python as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records. CVE-2022-3204 openSUSE Tumbleweed:libunbound8-1.16.3-1.1 openSUSE Tumbleweed:python3-unbound-1.16.3-1.1 openSUSE Tumbleweed:unbound-1.16.3-1.1 openSUSE Tumbleweed:unbound-anchor-1.16.3-1.1 openSUSE Tumbleweed:unbound-devel-1.16.3-1.1 openSUSE Tumbleweed:unbound-munin-1.16.3-1.1 SUSE Enterprise Storage 6:unbound SUSE Linux Enterprise Module for Basesystem 15 SP4:libunbound2 SUSE Linux Enterprise Module for Basesystem 15 SP4:unbound SUSE Linux Enterprise Module for Basesystem 15 SP4:unbound-anchor SUSE Linux Enterprise Module for Basesystem 15 SP4:unbound-devel SUSE Linux Enterprise Module for Basesystem 15 SP5:libunbound2 SUSE Linux Enterprise Module for Basesystem 15 SP5:unbound SUSE Linux Enterprise Module for Basesystem 15 SP5:unbound-anchor SUSE Linux Enterprise Module for Basesystem 15 SP5:unbound-devel SUSE Linux Enterprise Module for Package Hub 15 SP4:unbound SUSE Linux Enterprise Module for Package Hub 15 SP4:unbound-python SUSE Linux Enterprise Module for Package Hub 15 SP5:unbound SUSE Linux Enterprise Module for Package Hub 15 SP5:unbound-python important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H