{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zone-transfer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CoreDNS"],"_cs_severities":["high"],"_cs_tags":["cve-2026-33489","acl-bypass","dns","zone-transfer","coredns"],"_cs_type":"advisory","_cs_vendors":["CoreDNS"],"content_html":"\u003cp\u003eA vulnerability exists in the CoreDNS transfer plugin related to Access Control List (ACL) stanza selection. When both a parent zone and a more-specific subzone are configured with transfer rules, CoreDNS versions prior to 1.14.3 may incorrectly prioritize the parent zone\u0026rsquo;s rule over the subzone\u0026rsquo;s due to a lexicographic string comparison instead of a proper longest-match algorithm. This can lead to a permissive parent-zone transfer rule overriding a more restrictive subzone rule, allowing unauthorized clients to perform AXFR/IXFR requests and retrieve zone contents they should not have access to. This vulnerability matters because it can expose sensitive DNS information to unauthorized parties, potentially aiding reconnaissance or enabling further attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a CoreDNS server running a version prior to 1.14.3.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the CoreDNS server is configured with both a parent zone (e.g., example.org.) and a subzone (e.g., a.example.org.) with different transfer ACLs. The parent zone\u0026rsquo;s ACL is more permissive than the subzone\u0026rsquo;s.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an AXFR or IXFR request specifically targeting the subzone (a.example.org.).\u003c/li\u003e\n\u003cli\u003eThe CoreDNS server\u0026rsquo;s transfer plugin incorrectly selects the parent zone\u0026rsquo;s ACL due to the lexicographic comparison logic, which favors \u0026ldquo;example.org.\u0026rdquo; over \u0026ldquo;a.example.org.\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe server authorizes the transfer based on the permissive parent zone ACL.\u003c/li\u003e\n\u003cli\u003eThe CoreDNS server responds to the attacker\u0026rsquo;s request, providing the full zone contents of the subzone.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the zone data, gaining access to information such as hostnames, IP addresses, and other DNS records that should have been protected by the subzone\u0026rsquo;s restrictive ACL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized zone transfers, exposing sensitive DNS information. The impact is significant as it can lead to the disclosure of internal network structures, server names, and other critical data, potentially facilitating reconnaissance for further attacks. The severity is compounded by the non-intuitive nature of the vulnerability, making it difficult to detect and remediate without a clear understanding of the underlying issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CoreDNS to version 1.14.3 or later to address the vulnerability (CVE-2026-33489).\u003c/li\u003e\n\u003cli\u003eReview CoreDNS transfer configurations to ensure subzone ACLs are not inadvertently bypassed by more permissive parent zone ACLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-coredns-acl-bypass/","summary":"CoreDNS' transfer plugin prior to version 1.14.3 can select the wrong ACL stanza due to lexicographic comparison, leading to unauthorized zone transfers by clients intended to be denied by subzone-specific transfer policies.","title":"CoreDNS Transfer Plugin ACL Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-coredns-acl-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Zone-Transfer","version":"https://jsonfeed.org/version/1.1"}