{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/netty-4.2.12.final/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Netty 4.2.12.Final"],"_cs_severities":["medium"],"_cs_tags":["netty","dns","vulnerability","cache-poisoning"],"_cs_type":"advisory","_cs_vendors":["Netty"],"content_html":"\u003cp\u003eNetty, a widely used asynchronous event-driven network application framework, contains a critical input validation bypass vulnerability within its DNS codec (versions 4.2.12.Final and prior using \u003ccode\u003ecodec-dns\u003c/code\u003e). The vulnerability stems from the \u003ccode\u003eio.netty.handler.codec.dns.DnsCodecUtil\u003c/code\u003e component, which inadequately validates domain name inputs during both encoding and decoding. This failure to adhere to RFC 1035 standards enables attackers to inject null bytes, create overlength labels, silently truncate domain names, and trigger unbounded memory allocation. Exploitation can lead to DNS cache poisoning, domain validation bypass, denial of service, and the generation of malformed DNS packets. This bidirectional attack surface allows for malicious DNS responses and user-influenced hostnames to be leveraged against applications using Netty\u0026rsquo;s DNS resolution features.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Input\u003c/strong\u003e: A Netty application receives a DNS query or is configured to resolve a domain name provided by a user, which may contain malicious elements such as null bytes or exceed length restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEncoding (Outbound)\u003c/strong\u003e: The application uses \u003ccode\u003eDnsCodecUtil.encodeDomainName()\u003c/code\u003e to encode the domain name into a DNS query packet without proper validation. This allows malicious domain names to be crafted.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDNS Query\u003c/strong\u003e: The crafted DNS query is sent to a DNS server. If the domain name contains null bytes, different DNS servers may interpret the domain differently, potentially leading to cache poisoning.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDecoding (Inbound)\u003c/strong\u003e: The application receives a DNS response containing a crafted domain name, potentially with oversized labels exceeding 63 bytes or the total 255-byte limit.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Decoding\u003c/strong\u003e: The \u003ccode\u003eDnsCodecUtil.decodeDomainName()\u003c/code\u003e method decodes the domain name without proper length validation, leading to unbounded StringBuilder growth if oversized labels are present.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMemory Exhaustion or Parser Confusion\u003c/strong\u003e: Excessive memory allocation occurs due to large labels, potentially causing a denial-of-service. Alternatively, overlength labels may be misinterpreted as compression pointers, causing parser confusion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCache Poisoning or Validation Bypass\u003c/strong\u003e: If null bytes are present, DNS cache poisoning or domain validation bypass may occur.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Impact\u003c/strong\u003e: Downstream processes that handle the decoded domain names (e.g., certificate validators, URL parsers) may crash or exhibit unexpected behavior due to the malformed domain names.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have severe consequences, including DNS cache poisoning, enabling attackers to redirect traffic to malicious servers. Domain validation bypass can allow attackers to impersonate legitimate domains. The unbounded memory allocation in the decoder can lead to denial-of-service conditions, impacting the availability of applications relying on Netty\u0026rsquo;s DNS resolution. A single compromised application can lead to broader network disruptions through DNS poisoning.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Netty version 4.2.13.Final or later, which addresses the input validation issues in the DNS codec.\u003c/li\u003e\n\u003cli\u003eApply input validation on the client side to sanitize domain names before they are passed to the Netty DNS codec, mitigating encoder-side attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Netty DNS Encoder Overlength Labels\u0026rdquo; to identify instances of overlength labels being encoded in DNS queries.\u003c/li\u003e\n\u003cli\u003eMonitor and restrict outbound DNS traffic originating from applications using Netty to known, legitimate DNS resolvers to reduce the attack surface for encoder-side exploits.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging of DNS queries and responses to facilitate forensic analysis in case of suspected DNS cache poisoning or other malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:12:47Z","date_published":"2026-05-07T00:12:47Z","id":"/briefs/2024-01-03-netty-dns-bypass/","summary":"Netty's DNS codec fails to enforce RFC 1035 domain name constraints, leading to potential DNS cache poisoning, denial-of-service, and domain validation bypass through null byte injection, overlength labels, silent truncation, and unbounded memory allocation.","title":"Netty DNS Codec Input Validation Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-netty-dns-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Netty 4.2.12.Final","version":"https://jsonfeed.org/version/1.1"}