Vulnerability
sysops

A significant vulnerability has been discovered in CoreDNS that could allow attackers to disrupt services by pinning DNS cache entries, effectively creating a denial of service for updates.

The flaw, residing in the CoreDNS etcd plugin stems from a critical logic error where an etcd lease ID is misinterpreted as a Time-To-Live (TTL) value, leading to abnormally long caching periods for DNS records.

The root of the vulnerability is found within the plugin/etcd/etcd.go file. The TTL() function incorrectly casts a 64-bit etcd lease ID into a 32-bit unsigned integer and uses this result as the DNS record’s TTL.

Lease IDs are arbitrary identifiers for a lease grant and do not correlate with the duration of the lease. When a large lease ID is generated, its truncated value can represent an extremely long TTL, sometimes spanning decades.

TTL Confusion Leads To Cache Pinning

Downstream DNS resolvers and clients that receive this record will cache it for the specified duration.

This enables a “cache pinning” attack, where an attacker can create a malicious or outdated DNS entry that persists for an exceptionally long time, preventing any future updates from being propagated to affected clients.

An attacker with write access to the etcd data store, potentially through a compromised service account or a misconfigured environment, can exploit this flaw.

The attacker would create or update a DNS record and attach a lease to it. The actual duration of the lease is irrelevant; only its ID matters.

CoreDNS will then serve this record with the massive, misinterpreted TTL. Consequently, clients and resolvers will cache this stale information.

Even if the malicious entry is corrected or deleted from etcd and CoreDNS is restarted, clients will continue to resolve the incorrect address until their local cache expires.

This has a high availability impact, as critical service updates, IP address rotations, or failover procedures would be ignored by clients with a pinned cache entry.

The integrity impact is considered low, as an attacker with etcd write access could already redirect services to malicious endpoints; however, the bug magnifies the persistence of such an attack.

Affected Versions And Mitigation

This vulnerability was introduced in CoreDNS version 1.2.0 and affects all subsequent versions that utilize the etcd a plugin for service discovery.

The flaw was disclosed by GitHub user “@thevilledev,” who also contributed a fix. The recommended mitigation involves updating the TTL() function to correctly use etcd’s Lease API to determine the remaining time on a lease, rather than misusing the lease ID.

Additionally, it is suggested that configurable minimum and maximum TTL limits be implemented to prevent extreme values from being served.

Users of the CoreDNS etcd plugin are strongly advised to update to a patched version to prevent potential service disruptions.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

Related Posts

Hackers exploit Qualcomm’s security flaws to gain unauthorized access, execute malicious code, or potentially compromise data integrity and the system. …

Security researchers have discovered a new vulnerability in OpenSSH, identified as CVE-2024-6409, which could potentially allow remote code execution attacks on affected systems. This…

Summary 1. A high-severity flaw (CVE-2025-6218) in WinRAR allows attackers to execute arbitrary code by exploiting how the software handles…