Zone-Transfer — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/zone-transfer/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 10:00:00 +0000CoreDNS Transfer Plugin ACL Bypass Vulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-03-coredns-acl-bypass/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-coredns-acl-bypass/CoreDNS' transfer plugin prior to version 1.14.3 can select the wrong ACL stanza due to lexicographic comparison, leading to unauthorized zone transfers by clients intended to be denied by subzone-specific transfer policies.A vulnerability exists in the CoreDNS transfer plugin related to Access Control List (ACL) stanza selection. When both a parent zone and a more-specific subzone are configured with transfer rules, CoreDNS versions prior to 1.14.3 may incorrectly prioritize the parent zone’s rule over the subzone’s due to a lexicographic string comparison instead of a proper longest-match algorithm. This can lead to a permissive parent-zone transfer rule overriding a more restrictive subzone rule, allowing unauthorized clients to perform AXFR/IXFR requests and retrieve zone contents they should not have access to. This vulnerability matters because it can expose sensitive DNS information to unauthorized parties, potentially aiding reconnaissance or enabling further attacks.

Attack Chain

  1. An attacker identifies a CoreDNS server running a version prior to 1.14.3.
  2. The attacker determines that the CoreDNS server is configured with both a parent zone (e.g., example.org.) and a subzone (e.g., a.example.org.) with different transfer ACLs. The parent zone’s ACL is more permissive than the subzone’s.
  3. The attacker crafts an AXFR or IXFR request specifically targeting the subzone (a.example.org.).
  4. The CoreDNS server’s transfer plugin incorrectly selects the parent zone’s ACL due to the lexicographic comparison logic, which favors “example.org.” over “a.example.org.”.
  5. The server authorizes the transfer based on the permissive parent zone ACL.
  6. The CoreDNS server responds to the attacker’s request, providing the full zone contents of the subzone.
  7. The attacker receives the zone data, gaining access to information such as hostnames, IP addresses, and other DNS records that should have been protected by the subzone’s restrictive ACL.

Impact

Successful exploitation of this vulnerability allows unauthorized zone transfers, exposing sensitive DNS information. The impact is significant as it can lead to the disclosure of internal network structures, server names, and other critical data, potentially facilitating reconnaissance for further attacks. The severity is compounded by the non-intuitive nature of the vulnerability, making it difficult to detect and remediate without a clear understanding of the underlying issue.

Recommendation

  • Upgrade CoreDNS to version 1.14.3 or later to address the vulnerability (CVE-2026-33489).
  • Review CoreDNS transfer configurations to ensure subzone ACLs are not inadvertently bypassed by more permissive parent zone ACLs.
]]>highadvisorycve-2026-33489acl-bypassdnszone-transfercoredns