The flaw, residing in the CoreDNS etcd plugin stems from a critical logic error where an etcd lease ID is misinterpreted as a Time-To-Live (TTL) value, leading to abnormally long caching periods for DNS records.
The root of the vulnerability is found within the plugin/etcd/etcd.go file. The TTL() function incorrectly casts a 64-bit etcd lease ID into a 32-bit unsigned integer and uses this result as the DNS record’s TTL.
Lease IDs are arbitrary identifiers for a lease grant and do not correlate with the duration of the lease. When a large lease ID is generated, its truncated value can represent an extremely long TTL, sometimes spanning decades.
Downstream DNS resolvers and clients that receive this record will cache it for the specified duration.
This enables a “cache pinning” attack, where an attacker can create a malicious or outdated DNS entry that persists for an exceptionally long time, preventing any future updates from being propagated to affected clients.
An attacker with write access to the etcd data store, potentially through a compromised service account or a misconfigured environment, can exploit this flaw.
The attacker would create or update a DNS record and attach a lease to it. The actual duration of the lease is irrelevant; only its ID matters.
CoreDNS will then serve this record with the massive, misinterpreted TTL. Consequently, clients and resolvers will cache this stale information.
Even if the malicious entry is corrected or deleted from etcd and CoreDNS is restarted, clients will continue to resolve the incorrect address until their local cache expires.
This has a high availability impact, as critical service updates, IP address rotations, or failover procedures would be ignored by clients with a pinned cache entry.
The integrity impact is considered low, as an attacker with etcd write access could already redirect services to malicious endpoints; however, the bug magnifies the persistence of such an attack.
This vulnerability was introduced in CoreDNS version 1.2.0 and affects all subsequent versions that utilize the etcd a plugin for service discovery.
The flaw was disclosed by GitHub user “@thevilledev,” who also contributed a fix. The recommended mitigation involves updating the TTL() function to correctly use etcd’s Lease API to determine the remaining time on a lease, rather than misusing the lease ID.
Additionally, it is suggested that configurable minimum and maximum TTL limits be implemented to prevent extreme values from being served.
Users of the CoreDNS etcd plugin are strongly advised to update to a patched version to prevent potential service disruptions.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post CoreDNS Vulnerability Let Attackers Pin DNS Cache And Deny Service Updates appeared first on Cyber Security News.
Air Bud is dead. Long live Air Bud! The first footage from Air Bud Returns…
Bluetti is well known for its high quality yet affordable power stations and solar generators.…
INDIANAPOLIS, Ind. (WOWO) — The Indianapolis Metropolitan Police Department made multiple arrests and seized an…
EVANSVILLE, Ind. (WOWO) — The Evansville City Council on Monday passed a resolution by a…
Senate Majority Leader John Thune, R-S.D., talks to reporters on March 3, 2026. From left…
Witch Hat Atelier is a great manga for newcomers to the medium, and the price…
This website uses cookies.