cert-manager DNS Cache Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in cert-manager versions 1.18.0 prior to 1.18.5 and 1.19.0 prior to 1.19.3. The issue arises in the cert-manager-controller during ACME DNS-01 processing, where unencrypted DNS lookups can be intercepted and modified by an attacker. This manipulation allows the insertion of a crafted entry into cert-manager's DNS cache. When accessed, this entry triggers a panic, causing a denial-of-service condition for the cert-manager controller. The vulnerability can also be exploited if the authoritative DNS server for the validated domain is controlled by a malicious actor.

Impact

Exploitation of this vulnerability causes a panic in the cert-manager controller, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by intercepting and modifying DNS responses from the DNS server used by the cert-manager-controller pod. This can be done by crafting a DNS response that places the SOA record in an unexpected order, which cert-manager will cache. When the controller later retrieves this cached entry, it will panic, causing a denial-of-service condition.

Remediation

Users can update to cert-manager versions 1.18.5 or 1.19.3, both of which include the necessary patch. Instructions for updating can be found in the cert-manager documentation.