Listen to this Post
Netty’s DnsResolveContext has a flaw in its bailiwick validation logic for NS records, which enables DNS cache poisoning. An attacker who controls an authoritative name server for a subdomain can leverage this to corrupt the resolver’s cache for entire parent domains.
The root cause lies in the `AuthoritativeNameServerListadd` method. When the resolver sends a query (for example, to evil.co.uk), it parses the `AUTHORITY` section of the DNS response. The vulnerable `add` method will accept any NS record, as long as the record’s name is a suffix of the original question name. This means a malicious NS record claiming authority over the parent domain (i.e., co.uk) would be accepted.
Following this, the `handleWithAdditional` method processes the `ADDITIONAL` section of the same response. It then caches the A (IPv4 address) records associated with that malicious NS record directly into the resolver’s cache, using the parent domain (co.uk) as the key. This entire sequence bypasses the standard DNS bailiwick security rule, which states that a server which is only authoritative for a subdomain should not be trusted to provide definitive records for its parent domain. After the cache is successfully poisoned, the malicious records will be used for all future DNS resolutions under the parent domain. A check in the `cache` method only prevents caching if the record is for the root zone (.), providing no protection in this scenario.
DailyCVE Form:
Platform: …… Netty
Version: …….. 4.2.0.Final to 4.2.14.Final, 4.1.134.Final and earlier
Vulnerability :….. Insufficient Bailiwick Validation for NS Records
Severity: …… High (CVSS 4.0: 8.8)
date: ………. May 7, 2026
Prediction: ……. June 10, 2026 (Upgrade to 4.2.15.Final or 4.1.135.Final)
What Undercode Say:
Below are the commands to check if a project is using an affected Netty version, which is crucial for identifying potential exposure to this cache poisoning vulnerability.
Check the Netty resolver version in a Maven project mvn dependency:tree | grep netty-resolver-dns Check using Gradle ./gradlew dependencies | grep netty-resolver-dns Direct inspection of the Netty version if jar is downloaded java -cp netty-resolver-dns-4.2.14.Final.jar io.netty.resolver.dns.DnsNameResolver 2>&1 | grep "version"
How Exploit:
An attacker who can control an authoritative DNS server for a subdomain can exploit this flaw:
1. The Netty-based resolver sends a query for a subdomain, e.g., evil.co.uk..
2. The attacker-controlled authoritative server for `evil.co.uk` replies with a crafted DNS packet containing:
An `AUTHORITY` section with an NS record claiming the name server is authoritative for the parent domain co.uk.
An `ADDITIONAL` section with A records for that NS record (pointing to the attacker’s IP address).
3. Netty’s `AuthoritativeNameServerListadd` method accepts the out-of-bailiwick NS record, and `handleWithAdditional` caches the attacker’s IP addresses for the `co.uk` zone.
4. Future DNS lookups for any hostname under `co.uk` will resolve to the attacker’s malicious IP address, enabling traffic interception or redirection.
Protection:
Upgrade Netty’s `netty-resolver-dns` and `netty-codec-dns` to the patched versions: 4.2.15.Final or 4.1.135.Final. For build systems:
Maven: Update the `netty-resolver-dns` and `netty-codec-dns` dependencies to the patched version.
Gradle: Add a version override for the `io.netty` group.
Impact:
Successful exploitation allows an unauthenticated, remote attacker to poison the DNS cache of the Netty resolver. This enables attackers to redirect network traffic from the affected application to malicious hosts, leading to traffic interception, credential harvesting, and other machine-in-the-middle attacks. Any application using Netty’s DNS resolver, such as HTTP clients or database drivers, is impacted by this vulnerability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
