Netty DNS Codec Input Validation Bypass Vulnerability

A vulnerability exists in Netty's DNS codec, specifically in versions prior to 4.2.13.Final and 4.1.133.Final. The issue arises because the codec does not properly validate domain names according to RFC 1035 during encoding and decoding processes. This lack of validation creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, while user-influenced hostnames can exploit the encoder. On the encoder side, the vulnerability allows null byte injection, acceptance of overly long labels, and silent truncation of domain names. On the decoder side, it enables unbounded memory allocation from oversized labels, potentially leading to denial-of-service conditions.

Impact

The vulnerability allows for DNS cache poisoning, where different DNS parsers interpret the same encoded packet in conflicting ways, and can cause unbounded memory allocation, leading to denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by using Netty's DNS codec to encode domain names that violate RFC 1035 constraints, such as those containing null bytes or exceeding label length limits. This can be done by crafting DNS queries that exploit these weaknesses and observing the incorrect handling of the domain names. Additionally, the decoder side can be tested by processing DNS responses from a malicious server that takes advantage of the codec's lack of validation, such as responses with oversized labels that bypass the RFC 1035 limits.

Remediation

Users can upgrade to Netty versions 4.2.13.Final or 4.1.133.Final, where this vulnerability has been fixed.