{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/twisted/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Twisted (\u003c= 25.5.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","dns","twisted"],"_cs_type":"advisory","_cs_vendors":["Twisted"],"content_html":"\u003cp\u003eThe \u003ccode\u003etwisted.names\u003c/code\u003e module is susceptible to a Denial of Service (DoS) attack due to resource exhaustion during DNS name decompression. This vulnerability allows a remote, unauthenticated attacker to exploit the system by sending a crafted TCP DNS packet containing deeply chained compression pointers. This bypasses existing loop-prevention mechanisms and leads to the single-threaded Twisted reactor becoming unresponsive as it processes millions of recursive lookups. The vulnerability was introduced prior to commit e11cd82. The affected package is pip/Twisted (\u0026lt;= 25.5.0), making any service reliant on Twisted for DNS resolution vulnerable. This can paralyze the server, causing significant disruption to services relying on the Twisted framework.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious TCP DNS packet with deeply chained compression pointers. The packet is designed to trigger excessive recursive lookups.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted DNS packet to a vulnerable Twisted DNS server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDNSServerFactory\u003c/code\u003e processes the incoming TCP packet and parses the number of question records (QDCOUNT).\u003c/li\u003e\n\u003cli\u003eFor each question record, the \u003ccode\u003eMessage.decode\u003c/code\u003e function calls \u003ccode\u003eName.decode\u003c/code\u003e to decompress the DNS name.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eName.decode\u003c/code\u003e function recursively dereferences the compression pointers, attempting to resolve the name. Due to the crafted chains, the process enters a loop-like behavior.\u003c/li\u003e\n\u003cli\u003eThe lack of a limit on pointer resolutions causes the Twisted reactor\u0026rsquo;s event loop to become blocked.\u003c/li\u003e\n\u003cli\u003eThe server becomes unresponsive to new connections, I/O operations, and existing requests.\u003c/li\u003e\n\u003cli\u003eThe server experiences a Denial of Service (DoS) condition, rendering it effectively paralyzed until the malicious packet processing completes or the process is restarted.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can render a Twisted-based DNS server unresponsive, leading to a Denial of Service condition. A single malformed TCP packet is sufficient to block the Twisted reactor\u0026rsquo;s event loop for several seconds, or potentially longer, depending on the resources available. The impact is significant because Twisted\u0026rsquo;s single-threaded, cooperative multitasking model makes it vulnerable to such blocking operations. This can affect any service relying on the server for DNS resolution, potentially impacting numerous users and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate the \u003ccode\u003etwisted.names.dns.Name.decode\u003c/code\u003e function to implement a limit on the number of pointer resolutions allowed per DNS message to address the root cause of the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement state sharing of the \u0026ldquo;resolved offset\u0026rdquo; across all records within a single message to prevent redundant processing of the same compression pointers, mitigating resource exhaustion.\u003c/li\u003e\n\u003cli\u003ePrior to entering the decoding loop in \u003ccode\u003eMessage.decode\u003c/code\u003e, validate the number of questions (QDCOUNT) in the DNS packet to avoid processing excessively large question sections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Twisted DNS DoS Attack via Deep Compression Pointers\u003c/code\u003e to identify and alert on the exploitation attempts based on the structure of DNS packets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"/briefs/2024-01-twisted-dns-dos/","summary":"A denial-of-service vulnerability exists in the twisted.names module, where an unauthenticated attacker can send a crafted TCP DNS packet with deeply chained compression pointers, causing the Twisted reactor to hang while processing recursive lookups and effectively freezing the server.","title":"Twisted DNS Server Denial of Service via Crafted Compression Pointers","url":"https://feed.craftedsignal.io/briefs/2024-01-twisted-dns-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Twisted","version":"https://jsonfeed.org/version/1.1"}