Executive Summary

CVE-2026-30932 is a vulnerability in Froxlor, an open source server administration software, affecting versions prior to 2.3.5. The issue exists in the DomainZones.add API endpoint, which does not validate the content field for certain DNS record types (LOC, RP, SSHFP, TLSA). This lack of validation allows an attacker with DNS access to inject newline characters and BIND zone file directives (such as $INCLUDE) into DNS zone files.

When the DNS rebuild cron job runs, these maliciously crafted zone files are written to disk and processed by the BIND DNS server. This can lead to injection of arbitrary directives into the zone files, enabling attackers to read arbitrary world-readable files on the server or disrupt DNS service.

The vulnerability arises because the API endpoint accepts unsanitized input for these DNS record types, which is then incorporated into zone files without proper validation or sanitization. This issue was fixed in Froxlor version 2.3.5 by adding strict validation routines for the affected DNS record types.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Information Disclosure: Attackers can inject $INCLUDE directives to cause the DNS server to read and expose arbitrary world-readable files on the server, such as /etc/passwd, via DNS responses.
• DNS Service Disruption: Malformed zone files created by injected content can cause the BIND DNS server to fail loading zones, resulting in DNS outages.
• Zone Data Manipulation: Injection of newlines allows attackers to create arbitrary DNS records, potentially enabling DNS amplification attacks or other malicious DNS behaviors.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of unsanitized or malformed DNS records of types LOC, RP, SSHFP, and TLSA in the Froxlor DNS management system prior to version 2.3.5.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for DNS zone files containing unexpected newline characters or BIND zone file directives such as "$INCLUDE" that should not normally appear in these records.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows injection of arbitrary directives into zone files, inspecting the zone files on disk for suspicious entries is a key detection method.'}, {'type': 'paragraph', 'content': 'Suggested commands include using grep or similar tools to search for suspicious patterns in zone files, for example:'}, {'type': 'list_item', 'content': "grep -r --include='*.zone' '\\$INCLUDE' /path/to/bindconf_directory/domains/"}, {'type': 'list_item', 'content': "grep -r --include='*.zone' -P '\\n' /path/to/bindconf_directory/domains/"}, {'type': 'paragraph', 'content': "Additionally, reviewing DNS records via the Froxlor API or web UI for error messages related to invalid LOC, RP, SSHFP, or TLSA records (e.g., 'error.dns_loc_invalid') can help identify malformed entries."}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Froxlor to version 2.3.5 or later, where strict validation of DNS LOC, RP, SSHFP, and TLSA record contents has been implemented to prevent injection of malicious content.

Until the upgrade can be applied, restrict access to the DomainZones.add API endpoint to trusted users only, especially those with DNS enabled, to reduce the risk of malicious record injection.

Manually audit existing DNS zone files for injected directives or malformed records and remove any suspicious entries.

Consider temporarily disabling the DNS rebuild cron job or monitoring its output closely to detect any errors caused by malformed zone files.

Review and tighten permissions on files and directories related to DNS zone files to limit exposure.

Useful 0 Not Useful 0