Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-h75p-j8xm-m278

Опубликовано: 06 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

CoreDNS Loop Detection Denial of Service Vulnerability

Executive Summary

A Denial of Service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process.

Technical Details

Vulnerability Description

The CoreDNS loop plugin is designed to detect forwarding loops by performing a self-test during server startup. The plugin generates a random query name (qname) using Go's math/rand package and sends an HINFO query to itself. If the server receives multiple matching queries, it assumes a forwarding loop exists and terminates.

The vulnerability arises from two design flaws:

  1. Predictable PRNG Seed: The random number generator is seeded with time.Now().UnixNano(), making the generated qname predictable if an attacker knows the approximate server start time.

  2. Fatal Error Handler: When the plugin detects what it believes is a loop (3+ matching HINFO queries), it calls log.Fatalf() which invokes os.Exit(1), immediately terminating the process without cleanup or recovery.

Affected Code

File: plugin/loop/setup.go

// PRNG seeded with predictable timestamp var r = rand.New(time.Now().UnixNano()) // Qname generation using two consecutive PRNG calls func qname(zone string) string { l1 := strconv.Itoa(r.Int()) l2 := strconv.Itoa(r.Int()) return dnsutil.Join(l1, l2, zone) }

File: plugin/loop/loop.go

func (l *Loop) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) { // ... validation checks ... if state.Name() == l.qname { l.inc() // Increment counter } if l.seen() > 2 { // FATAL: Terminates entire process log.Fatalf("Loop (%s -> %s) detected for zone %q...", ...) } // ... }

File: plugin/pkg/log/log.go

func Fatalf(format string, v ...any) { logf(fatal, format, v...) os.Exit(1) // Immediate process termination }

Exploitation Window

The loop plugin remains active during the following conditions:

ConditionWindow DurationAttack Feasibility
Healthy startup2 secondsRequires precise timing
Self-test failure (upstream unreachable)30 secondsHIGH - Extended window
Network degradationVariableDepends on retry behavior

Attack Scenario

Primary Attack Vector: Network Degradation

When the upstream DNS server is unreachable (network partition, misconfiguration, outage), the loop plugin's self-test fails repeatedly. During this period:

  1. The loop plugin remains active for up to 30 seconds
  2. Each self-test attempt generates an HINFO query visible in CoreDNS logs
  3. An attacker with log access (shared Kubernetes cluster, centralized logging) can observe the qname
  4. The attacker sends 3 HINFO queries with the observed qname
  5. The server immediately crashes
┌──────────────────────────────────────────────────────────────────────────┐ │ ATTACK TIMELINE │ ├──────────────────────────────────────────────────────────────────────────┤ │ T+0s CoreDNS starts, PRNG seeded with UnixNano() │ │ T+0.5s Self-test HINFO query sent (visible in logs) │ │ T+2s Self-test fails (upstream timeout) │ │ T+3s Retry #1 - counter resets, qname unchanged │ │ T+5s Retry #2 - attacker observes qname in logs │ │ T+5.1s ATTACKER: Send HINFO #1 → counter = 1 │ │ T+5.2s ATTACKER: Send HINFO #2 → counter = 2 │ │ T+5.3s ATTACKER: Send HINFO #3 → counter = 3 → os.Exit(1) │ │ T+5.3s SERVER CRASHES │ └──────────────────────────────────────────────────────────────────────────┘

Impact Assessment

Attack Requirements

RequirementNotes
Network AccessMust be able to send UDP packets to CoreDNS port
Log AccessRequired to observe the qname (common in shared clusters)
TimingExtended window during network degradation
AuthenticationNone required

Real-World Impact

CoreDNS is the default DNS server for Kubernetes clusters. A successful attack would:

  1. Disruption: All DNS resolution fails within the cluster
  2. Cascading Failures: Services unable to discover each other
  3. Restart Loop: If attack persists, CoreDNS enters crash-restart cycle
  4. Data Plane Impact: Application-level failures across the cluster

References

Ссылки

Пакеты

Наименование

github.com/coredns/coredns

go
Затронутые версииВерсия исправления

< 1.14.2

1.14.2

EPSS

Процентиль: 16%
0.00052
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-26018

Дефекты

CWE-337

Связанные уязвимости

redhat логотип

CVE-2026-26018

CVSS3: 7.5
redhat
21 день назад

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.

nvd логотип

CVE-2026-26018

CVSS3: 7.5
nvd
20 дней назад

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process. This issue has been patched in version 1.14.2.

msrc логотип

CVE-2026-26018

CVSS3: 7.5
msrc
18 дней назад

CoreDNS Loop Detection Denial of Service Vulnerability

debian логотип

CVE-2026-26018

CVSS3: 7.5
debian
20 дней назад

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, ...

EPSS

Процентиль: 16%
0.00052
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-26018

Дефекты

CWE-337