Vulnerability DatabaseCVE-2024-33655

CVE-2024-33655:
Unbound vulnerability analysis and mitigation

Overview

The DNS protocol in RFC 1035 and updates is affected by a vulnerability known as 'DNSBomb' (CVE-2024-33655), discovered by Xiang Li from the Network and Information Security Lab of Tsinghua University. This vulnerability allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst, which can be considered traffic amplification in some cases (NVD, Unbound Advisory).

Technical details

The DNSBomb attack operates in three phases: First, it accumulates DNS queries at a low rate by exploiting DNS timeout mechanisms. Second, it amplifies queries into larger responses through query aggregation and specially crafted zones. Finally, it concentrates all responses into short, high-volume periodic bursts by controlling response timing. The attack can achieve an amplification factor exceeding 20,000x in some cases, with peak pulse magnitude approaching 8.7Gb/s (Meterpreter, BIND Blog).

Impact

The vulnerability can lead to denial of service conditions by overwhelming target systems with synchronized response streams. The attack is particularly effective because it uses legitimate DNS features and can bypass current mitigation patches for DNS cache poisoning attacks. The pulsing nature of the attack makes it harder to detect compared to traditional DoS attacks, as it maintains a low average traffic rate while creating periodic overwhelming bursts (Meterpreter).

Mitigation and workarounds

Several mitigation measures have been implemented in DNS software updates. These include limiting query rate and timeout values, standardizing maximum response size to client, and implementing response-returning speed controls. Specific configuration options include setting discard-timeout to 1900ms, wait-limit to 1000, and wait-limit-cookie to 10000. Software vendors have released patches, with Unbound version 1.20.0 containing fixes that significantly lower the impact of DoS attacks (Unbound Advisory).

Community reactions

The vulnerability has received significant attention from the DNS software community. BIND developers have stated that their software is not significantly affected by this attack due to existing rate limits and configurations. The research was presented at the 45th IEEE Symposium on Security and Privacy and previously at GEEKCON 2023 in Shanghai (BIND Blog).

Additional resources

Source: This report was generated using AI

7.5

Score

Published June 6, 2024

Severity HIGH

CNA Score 7.5

Affected Technologies

Unbound
CBL Mariner

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 81.6

Exploitation Probability (EPSS) 1.7

Sources

NVD
Alpine Security Tracker
- Alpine 3.17, 3.18 Severity HIGHHas FixAdded at: May 12, 2024
- Alpine 3.19, edge Severity HIGHHas FixAdded at: May 09, 2024
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Oct 13, 2024
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: May 04, 2025
Debian Security Tracker
- Debian 13 Severity HIGHHas FixAdded at: May 12, 2024
Photon Security Advisory
- Photon 3.0, 4.0, 5.0 Severity HIGHHas FixAdded at: Sep 05, 2024
Red Hat Errata
- Red Hat 6, 7, 8, 9 Severity LOWNo FixAdded at: May 12, 2024
Ubuntu Security Tracker
- Ubuntu 20.04, 22.04, 23.10, 24.04 Severity LOWHas FixAdded at: May 29, 2024
- Ubuntu 24.10 Severity LOWHas FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity LOWHas FixAdded at: May 08, 2025
VulnCheck NVD++
- Windows Severity HIGHHas FixAdded at: Jul 09, 2024