CVE-2024-1931: 
NixOS vulnerability analysis and mitigation

CVE-2024-1931 affects NLnet Labs Unbound versions 1.18.0 through 1.19.1. The vulnerability was discovered in March 2024 and can cause a denial of service through an infinite loop condition. The issue specifically affects installations where the non-default 'ede: yes' option is enabled (Vendor Advisory).

The vulnerability stems from a feature introduced in Unbound 1.18.0 that removes Extended DNS Error (EDE) records from responses when they exceed the client's advertised buffer size. When attempting to trim the text fields of EDE records to retain EDE codes while meeting size constraints, an unchecked condition can result in an infinite loop. This occurs specifically when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the required space for EDE records. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can lead to a denial of service condition by causing the server to enter an infinite loop, affecting the availability of the DNS resolver service (NetApp Advisory).

There are two primary mitigation options: either disable EDE support with 'ede: no' (which is the default configuration) or upgrade to Unbound version 1.19.2 or later, which contains the fix. For those unable to upgrade immediately, a manual patch is available that can be applied to affected versions (Vendor Advisory).

The vulnerability has been acknowledged and addressed by multiple organizations, including NetApp and various Linux distributions. FreeBSD security teams have discussed the impact, noting that their base system unbound configuration is not vulnerable by default but cautioning users against enabling the EDE option (FreeBSD List).