By rssfeeds-admin 
Published two days ago by yongtang on GitHub, the vulnerability stems from a simple yet dangerous misuse of etcd lease identifiers as time-to-live (TTL) values, leading to extreme caching durations that can persist for years.
Users of CoreDNS version 1.2.0 and above are urged to upgrade to 1.12.4 immediately to mitigate this high-severity issue.
Within the plugin/etcd/etcd.go file, the TTL() function mistakenly casts a 64-bit etcd lease ID into a 32-bit unsigned integer, treating it as the TTL for DNS records.
Lease IDs are unique identifiers and bear no relation to actual lease durations; when truncated and interpreted as TTLs, they can translate into extraordinarily large values.
As a result, downstream resolvers and clients cache DNS answers far beyond intended durations.
Even after the original record is updated, deleted, or CoreDNS is restarted, these stale entries remain in caches until their artificially extended TTLs expire or until resolvers enforce their own TTL limits.
Exploitation and Proof of Concept
An attacker needs only etcd write privileges—gained through compromised service accounts, misconfigured RBAC, exposed endpoints, or insider access—to exploit the flaw.
By writing or updating a key under any lease, CoreDNS serves the record with the miscalculated TTL.
In a proof-of-concept demonstration, launching a leased record with a one-hour grant produced a DNS response carrying a TTL of over 28 years.
Downstream systems whose TTL caps fall short will still endure caching for unacceptably long periods, causing service changes such as IP rotations, failovers, or rollbacks to be ignored.
Absent universal TTL caps across resolvers, the persistence of stale DNS answers becomes a powerful denial-of-service mechanism against dynamic service infrastructures.
The vulnerability impacts any CoreDNS deployment leveraging the etcd plugin for service discovery, with a high availability impact due to suppressed propagation of legitimate updates.
Integrity impact remains low, given that attackers who can write to etcd can already redirect traffic, but the bug greatly increases the duration of stale answers. Confidential data exposure is unaffected.
To remediate, CoreDNS maintainers have updated the TTL calculation in version 1.12.4 to query etcd’s Lease API for accurate TTL values and introduced configurable minimum and maximum TTL clamps.
Operators of vulnerable CoreDNS instances should apply the patch immediately and review etcd access controls to prevent unauthorized write operations.
Continuous monitoring of resolver TTL enforcement settings is also recommended to guard against extreme cache durations in the future.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post CoreDNS Vulnerability Allows Attackers to Pin DNS Cache, Disrupt Updates appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.