VDB
KO
HIGH 8.7

GHSA-5pvg-856g-cp85

Netty has Insufficient Bailiwick Validation for NS Records

Details

### Summary Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`).

### Details In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName.

This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk..

The `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache` method only prevents caching if the record is for the root zone (dots == 1).

### Impact DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.netty:netty-resolver-dns
Introduced in: 4.2.0.Final Fixed in: 4.2.15.Final
Fix # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-resolver-dns
Maven / io.netty:netty-resolver-dns
Introduced in: 0 Fixed in: 4.1.135.Final
Fix # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-resolver-dns

References