Detections
Analytics

Debian dla-4280 : libunbound-dev - security update

high Nessus Plugin ID 254407

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4280 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4280-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin August 24, 2025 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : unbound Version : 1.13.1-1+deb11u5 CVE ID : CVE-2024-33655 CVE-2025-5994 Debian Bug : 1109427

 Vulnerabilities were found in unbound, a validating, recursive, and caching DNS resolver, which may lead to Denial of Service or cache poisoning.

 CVE-2024-33655

 The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.

 While Unbound itself is not vulnerable for DoS, it can be used to take part in a pulsing DoS amplification attack.

 Configuration options have been added to help mitigate the impact by trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be:

 * discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of old replies. Legitimate clients retry on timeouts.

 * wait-limit: 1000 Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped.
 wait-limit: 0 disables all wait limits.

 * wait-limit-netblock These do not have a default value but they can fine grain configuration for specific netblocks.

 CVE-2025-5994

 Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

 Unbound now includes a fix that disregards replies that came back without ECS when ECS was expected.

 This update also includes follow-up upstream fixes and improvements for CVE-2024-43167 and CVE-2024-43168.

 For Debian 11 bullseye, these problems have been fixed in version 1.13.1-1+deb11u5.

 We recommend that you upgrade your unbound packages.

 For the detailed security status of unbound please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/unbound

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libunbound-dev packages.

See Also

https://security-tracker.debian.org/tracker/source-package/unbound

https://security-tracker.debian.org/tracker/CVE-2024-33655

https://security-tracker.debian.org/tracker/CVE-2024-43167

https://security-tracker.debian.org/tracker/CVE-2024-43168

https://security-tracker.debian.org/tracker/CVE-2025-5994

https://packages.debian.org/source/bullseye/unbound

Plugin Details

Severity: High

ID: 254407

File Name: debian_DLA-4280.nasl

Version: 1.1

Type: local

Agent: unix

Published: 8/24/2025

Updated: 8/24/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2025-5994

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-43168

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:unbound-host, p-cpe:/a:debian:debian_linux:libunbound8, p-cpe:/a:debian:debian_linux:python3-unbound, p-cpe:/a:debian:debian_linux:unbound-anchor, p-cpe:/a:debian:debian_linux:libunbound-dev, p-cpe:/a:debian:debian_linux:unbound

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/24/2025

Vulnerability Publication Date: 5/9/2024

Reference Information

CVE: CVE-2024-33655, CVE-2024-43167, CVE-2024-43168, CVE-2025-5994