{
  "threat_severity" : "Moderate",
  "public_date" : "2019-11-26T00:00:00Z",
  "bugzilla" : {
    "description" : "unbound: command injection with data coming from a specially crafted IPSECKEY answer",
    "id" : "1776762",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1776762"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.", "A shell command injection vulnerability was discovered in the way unbound handles DNS queries for systems with a public key used for IPsec. When ipsecmod is enabled, a malicious DNS server could send a DNS reply which would be used during a following DNS query to execute shell commands with the privileges of the unbound process. The same attack could be performed by an attacker who can modify data transmitted over the network, before it reaches the unbound server, if DNSSEC is not used." ],
  "statement" : "The versions of unbound as shipped in Red Hat Enterprise Linux 7 and 8 have `ipsecmod` disabled by default, even though it could be activated through the unbound-control command, it would only be executable by high-privilege users. Moreover, the `username` option is enabled, reducing the impact of a successful attack, and DNSSEC is used by default, preventing an attacker from modifying DNS packets on the wire. Finally, the default SELinux policies prevent unbound from running any shell command.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-04-28T00:00:00Z",
    "advisory" : "RHSA-2020:1716",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "unbound-0:1.7.3-10.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "unbound",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "unbound",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-18934\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18934\nhttps://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt\nhttps://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released/" ],
  "name" : "CVE-2019-18934",
  "mitigation" : {
    "value" : "* Do not enable ipsecmod in the unbound.conf configuration file nor via unbound-control, if DNSSEC based Opportunistic IPsec is not used.\n* Use the `username` option in unbound.conf to make unbound drop privileges and reduce the impact of a successful attack.\n* Enable SELinux to prevent unbound from executing shell commands, apart from the expected one specified in the `ipsecmod-hook` option.",
    "lang" : "en:us"
  },
  "csaw" : false
}