{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dnssec/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["hickory-proto (0.25.0-alpha.3 to 0.25.2)","hickory-net (0.26.0-alpha.1 to 0.26.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","dnssec","memory-exhaustion"],"_cs_type":"advisory","_cs_vendors":["Hickory DNS"],"content_html":"\u003cp\u003eHickory DNS is vulnerable to a denial-of-service (DoS) attack due to an unbounded loop in its NSEC3 closest-encloser proof validation. This affects \u003ccode\u003ehickory-proto\u003c/code\u003e versions 0.25.0-alpha.3 through 0.25.2 and \u003ccode\u003ehickory-net\u003c/code\u003e versions 0.26.0-alpha.1 through 0.26.0. The vulnerability resides within the \u003ccode\u003eDnssecDnsHandle\u003c/code\u003e component, specifically when built with the \u003ccode\u003ednssec-ring\u003c/code\u003e or \u003ccode\u003ednssec-aws-lc-rs\u003c/code\u003e feature and configured to perform DNSSEC validation. The issue occurs when validating NoData or NXDomain responses where the authority section contains a Start of Authority (SOA) record from a zone that is not an ancestor of the queried name (QNAME). An attacker who can return such a specially crafted response can trigger the unbounded loop, leading to excessive memory allocation and ultimately causing the process to crash or become unresponsive. The affected code was migrated from \u003ccode\u003ehickory-proto\u003c/code\u003e to \u003ccode\u003ehickory-net\u003c/code\u003e as part of the 0.26.0 release.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious DNS server or compromises an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the DNS server to respond to DNS queries with a specially crafted DNS response.\u003c/li\u003e\n\u003cli\u003eThe crafted DNS response includes an SOA record in the authority section that is not an ancestor of the QNAME.\u003c/li\u003e\n\u003cli\u003eA vulnerable Hickory DNS resolver, recursor, or client initiates a DNS query that is routed to the malicious DNS server.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eDnssecDnsHandle\u003c/code\u003e in Hickory DNS receives the crafted DNS response.\u003c/li\u003e\n\u003cli\u003eDuring NSEC3 closest-encloser proof validation, the code enters an unbounded loop.\u003c/li\u003e\n\u003cli\u003eThe loop repeatedly calls \u003ccode\u003eName::base_name()\u003c/code\u003e and pushes newly allocated \u003ccode\u003eName\u003c/code\u003e and hashed-name entries into a candidate \u003ccode\u003eVec\u003c/code\u003e, consuming memory.\u003c/li\u003e\n\u003cli\u003eThe process exhausts available memory, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition. Attackers can remotely crash debug builds of applications using the affected Hickory DNS versions, or exhaust memory in release builds. The number of victims depends on the number of applications using vulnerable versions of Hickory DNS and exposed to malicious DNS responses. This can affect any application using Hickory DNS for DNSSEC validation, including resolvers and clients.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ehickory-net\u003c/code\u003e version 0.26.1 to remediate the vulnerability. This is the recommended fix from Hickory DNS as stated in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor memory usage of applications using \u003ccode\u003ehickory-proto\u003c/code\u003e (0.25.0-alpha.3 \u0026hellip; 0.25.2) and \u003ccode\u003ehickory-net\u003c/code\u003e (0.26.0-alpha.1 .. 0.26.0). An unusual increase in memory allocation could indicate an attempted exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-hickory-dns-dos/","summary":"A vulnerability in Hickory DNS's NSEC3 closest-encloser proof validation allows a remote attacker to cause a denial of service by exhausting memory when processing crafted DNS responses with mismatched SOA records.","title":"Hickory DNS NSEC3 Validation Vulnerability Leads to DoS","url":"https://feed.craftedsignal.io/briefs/2024-01-03-hickory-dns-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Dnssec","version":"https://jsonfeed.org/version/1.1"}