Unbound before 1.3.4 does not properly verify signatures for NSEC3 records, which allows remote attackers to cause secure delegations to be downgraded via DNS spoofing or other DNS-related attacks in conjunction with crafted delegation responses.

According to its self-reported version number, the remote Unbound DNS resolver is affected by a remote DNS spoofing vulnerability when verifying NSEC3 signatures.

It was discovered that Unbound, a DNS resolver, does not properly check cryptographic signatures on NSEC3 records. As a result, zones signed with the NSEC3 variant of DNSSEC lose their cryptographic protection. (An attacker would still have to carry out an ordinary cache poisoning attack to add bad data to the cache.)

Unbound did not check signatures on NSEC3 records which allowed attackers who could spoof DNS responses to bypass DNSSEC.
(CVE-2009-3602: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P))

ID	Name	Product	Family	Severity
106379	Unbound < 1.3.4 NSEC3 Signature Verification DNS Spoofing Vulnerability (CVE-2009-3602)	Nessus	DNS	high
44828	Debian DSA-1963-1 : unbound - cryptographic implementation error	Nessus	Debian Local Security Checks	high
44685	openSUSE Security Update : unbound (unbound-2015)	Nessus	SuSE Local Security Checks	high
44682	openSUSE Security Update : unbound (unbound-2015)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2009-3602

high

Tenable Plugins

high

high

high

high