CVE-2024-8508: 
NixOS vulnerability analysis and mitigation

CVE-2024-8508 affects NLnet Labs Unbound DNS server versions up to and including 1.21.0. The vulnerability was discovered by Toshifumi Sakaguchi and disclosed in October 2024. The issue occurs when handling replies with very large RRsets that require name compression processing (NLnet Labs Advisory, OSS Security).

The vulnerability exists in Unbound's name compression mechanism when processing DNS replies containing very large RRsets. When Unbound receives such replies, it performs an unbounded operation for name compression that can lock the CPU until the entire packet is processed. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can lead to degraded performance and eventual denial of service in well-orchestrated attacks. When exploited, the issue causes Unbound to spend considerable time applying name compression to downstream replies, potentially locking up CPU resources (NLnet Labs Advisory).

The issue has been fixed in Unbound version 1.21.1, which introduces a hard limit on the number of name compression calculations performed per packet. For packets requiring more compression, the solution results in semi-compressed packets or truncated packets, even on TCP for huge messages, to prevent CPU lockup. This change does not affect normal DNS traffic. Users are advised to upgrade to version 1.21.1 or apply the provided patch (NLnet Labs Advisory).