Can you explain this vulnerability to me?

CoreDNS versions prior to 1.14.3 have a vulnerability in the tsig plugin that affects encrypted DNS transports such as DoT, DoH, DoH3, DoQ, and gRPC. The vulnerability arises because these transports trust the transport writer's TsigStatus() function instead of performing their own verification. Since the TsigStatus() function for these transports always returns nil or is not properly set, an unauthenticated remote client can bypass TSIG-based authentication.

This means that unauthorized clients can access resources that are intended to be restricted behind TSIG authentication policies. Notably, plain DNS over TCP and UDP are not affected by this issue. The vulnerability was fixed in CoreDNS version 1.14.3.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an unauthenticated remote attacker to bypass TSIG-based authentication on encrypted DNS transports, potentially gaining unauthorized access to restricted DNS zone data or privileged queries.

Because the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a high risk to confidentiality of DNS data.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the TSIG authentication bypass on encrypted DNS transports such as DoT, DoH, DoH3, DoQ, and gRPC in CoreDNS versions prior to 1.14.3. Detection involves verifying whether your CoreDNS server is running a vulnerable version and monitoring for unauthorized access attempts over these encrypted transports.

Since the vulnerability allows unauthenticated clients to bypass TSIG authentication, you can detect it by checking logs for TSIG authentication failures or unexpected queries on encrypted DNS transports.

Specific commands are not provided in the available resources, but general detection steps include:

• Check the CoreDNS version with a command like `coredns -version` or by inspecting the running service.
• Monitor CoreDNS logs for TSIG authentication failures or unexpected queries over DoT, DoH, DoH3, DoQ, and gRPC transports.
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture DNS traffic on encrypted transports and analyze for unauthorized access patterns.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade CoreDNS to version 1.14.3 or later, where this TSIG authentication bypass vulnerability has been fixed.

Until the upgrade can be applied, consider restricting access to encrypted DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) to trusted clients only, to reduce the risk of unauthorized access.

Additionally, review and tighten your TSIG require all policies and monitor logs for suspicious activity.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated remote clients to bypass TSIG-based authentication on encrypted DNS transports, potentially granting unauthorized access to restricted DNS zone data or privileged queries.

Such unauthorized access to sensitive or restricted data could lead to violations of data protection and privacy regulations like GDPR or HIPAA, which require strict controls over access to personal or sensitive information.

Therefore, if an organization relies on CoreDNS with affected versions and encrypted DNS transports for protecting sensitive DNS data, this vulnerability could negatively impact their compliance posture by exposing data to unauthorized parties.

Useful 0 Not Useful 0