Amazon Linux 2 Security Advisory: ALASUNBOUND-2024-002
Advisory Release Date: 2024-06-19 20:39 Pacific
Advisory Updated Date: 2024-06-24 11:30 Pacific
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether. (CVE-2024-1488)
Affected Packages:
unbound
Note:
This advisory is applicable to Amazon Linux 2 - Unbound Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update unbound to update your system.
aarch64:
unbound-1.13.1-3.amzn2.0.4.aarch64
unbound-devel-1.13.1-3.amzn2.0.4.aarch64
unbound-libs-1.13.1-3.amzn2.0.4.aarch64
python2-unbound-1.13.1-3.amzn2.0.4.aarch64
python3-unbound-1.13.1-3.amzn2.0.4.aarch64
unbound-debuginfo-1.13.1-3.amzn2.0.4.aarch64
src:
unbound-1.13.1-3.amzn2.0.4.src
x86_64:
unbound-1.13.1-3.amzn2.0.4.x86_64
unbound-devel-1.13.1-3.amzn2.0.4.x86_64
unbound-libs-1.13.1-3.amzn2.0.4.x86_64
python2-unbound-1.13.1-3.amzn2.0.4.x86_64
python3-unbound-1.13.1-3.amzn2.0.4.x86_64
unbound-debuginfo-1.13.1-3.amzn2.0.4.x86_64