CVE-2024-1488: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2024-1488) was discovered in Unbound, affecting its default permissions configuration. The vulnerability was disclosed on February 14, 2024, and impacts Unbound's runtime configuration security. The issue affects various versions of Unbound running on Red Hat Enterprise Linux and other Linux distributions (NVD, Red Hat).

The vulnerability stems from incorrect default permissions that allow any process outside the unbound group to modify the unbound runtime configuration. The issue occurs when the default combination of 'control-use-cert: no' option is used with either explicit or implicit IP address in the 'control-interface' option. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) by NVD and 8.0 (HIGH) by Red Hat (NVD).

This vulnerability allows an unprivileged local attacker to manipulate a running Unbound instance. The attacker can potentially alter forwarders, track all queries forwarded by the local resolver, and in some cases, completely disrupt DNS resolving functionality. This poses a significant risk to the confidentiality and integrity of DNS operations (Red Hat).

To mitigate the vulnerability, a new file '/etc/unbound/conf.d/remote-control.conf' has been added and included in the main unbound configuration file. The file contains two key directives: 'control-interface: "/run/unbound/control"' and 'control-use-cert: "yes"'. Users can verify their configuration using the command 'unbound-control status | grep control'. If the output contains 'control(ssl)' or 'control(namedpipe)', the configuration is not vulnerable. Otherwise, users should add the line 'include: /etc/unbound/conf.d/remote-control.conf' to the end of '/etc/unbound/unbound.conf' (Red Hat).