Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jZnh3LTRoNzgtaDdmd84AA-E1

DNSJava DNSSEC Bypass

Summary

Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones.

Details

DNS Messages are not authenticated. They do not guarantee that

Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two.
To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!)

  1. denote by QNAME the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases
  2. if the ANSWER section contains a valid PTR RRSet for QNAME, return it (and optionally return the list of aliases as well)
  3. if the ANSWER section contains a valid CNAME RRSet for QNAME, add it to the list of aliases. Set QNAME to the CNAME's target and go to 2.
  4. Verify that QNAME does not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Return null.

Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic.

dnsjava does not implement a comparable algorithm, and the provided APIs instead return either

If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can

Impact

DNS(SEC) libraries are usually used as part of a larger security framework.
Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request.
Here are three concrete examples of where this might be detrimental:

Mitigations

At this point, the following mitigations are recommended:

Permalink: https://github.com/advisories/GHSA-cfxw-4h78-h7fw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZnh3LTRoNzgtaDdmd84AA-E1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 3 months ago


CVSS Score: 8.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

Identifiers: GHSA-cfxw-4h78-h7fw, CVE-2024-25638
References: Repository: https://github.com/dnsjava/dnsjava
Blast Radius: 30.3

Affected Packages

maven:dnsjava:dnsjava
Dependent packages: 335
Dependent repositories: 2,558
Downloads:
Affected Version Ranges: < 3.6.0
Fixed in: 3.6.0
All affected versions: 1.2.3, 1.3.2, 2.0.1, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3
All unaffected versions: 3.6.0, 3.6.1, 3.6.2