Full Report
Wiz CTO Ami Luttwak discusses a new class of vulnerabilities discovered by Wiz Research, which exposed valuable dynamic DNS data from millions of endpoints worldwide.
Analysis Summary
# Vulnerability: Tenant Isolation Bypass via Name Server Registration in Managed DNS Services
## CVE Details
- CVE ID: Not explicitly assigned in the provided text. The research describes a new class of vulnerabilities affecting managed DNS services.
- CVSS Score: Not explicitly provided. The description implies **Critical** severity due to the scale and sensitivity of leaked data.
- CWE: Unspecified, but likely related to **CWE-284: Improper Access Control** or **CWE-613: Insufficient Session Expiration** (in the context of DNS record persistence/handling).
## Affected Systems
- Products: Managed DNS service platforms, specifically mentioning major players like **Amazon Route 53** and **Google Cloud DNS** (though the text indicates two major providers have since fixed the issue). The vulnerability stems from how DNS hosting providers handle registration of special domains.
- Versions: Unspecified, applies to prior versions of affected managed DNS platforms before fixes were deployed.
- Configurations: Any configuration where endpoint devices use the affected managed DNS services for dynamic DNS updates, and where the DNS host platform does not adequately verify domain ownership/control during setup.
## Vulnerability Description
The vulnerability exists in the logic of managed DNS hosting providers (like AWS Route 53). Researchers found a loophole where registering a specific type of "special" domain—specifically, one named after the provider's own authoritative name servers—breaks tenant isolation.
By registering a synthetic hosted zone named identically to one of the provider's official name servers (e.g., creating a zone named "ns-852.awsdns-42.net" on the name server `ns-1611.awsdns-09.co.uk`), the researcher effectively gained partial control over that name server's resolution path for that specific synthetic domain.
When Windows endpoints utilizing dynamic DNS (DDNS) queried their master DNS server to update their status, the DDNS client attempted to resolve the master name server's address. If the master name server was one implicated in the exploit, the compromised resolution directed the DDNS update traffic (containing sensitive internal data) to the attacker's controlled IP address instead of the legitimate DNS server.
## Exploitation
- Status: **PoC available** (The researchers demonstrated successful exploitation). **Still an active threat vector** on unpatched providers.
- Complexity: **Low** (Described as "as easy as registering a domain"). The core attack involves registering a specific domain structure.
- Attack Vector: **Network** (Requires access to the managed DNS registration platform and relies on the victim device performing external DNS queries).
## Impact
- Confidentiality: **High**. Leaked information included computer names, employee names, locations, and details about web domains, effectively providing an intelligence view inside organizations ("nation-state level spying capability").
- Integrity: **Medium**. Ability to hijack specific DNS resolution paths, although the primary observable impact was data leakage.
- Availability: **Low**. Minimal direct impact on service availability, focused on information disclosure.
## Remediation
### Patches
- **Amazon Route 53 and Google Cloud DNS:** The text states that two major DNS providers (Amazon and Google) have fixed this issue. Specific patch versions are not detailed, but users should ensure they are running up-to-date services from these providers. Other providers may still be vulnerable.
### Workarounds
- **Configure DNS Resolvers Properly:** Organizations are ultimately responsible for configuring their internal DNS resolvers so that dynamic DNS updates **do not leave the internal network**. This might involve segmenting DDNS traffic or ensuring updates are only routed internally.
- **Avoid Affected Configurations:** Organizations should cease configurations that rely on external DNS platforms for sensitive internal dynamic updates, especially those involving systems that may attempt to resolve the name of their own internal DNS servers externally.
## Detection
- **Indicators of Compromise:** Anomalous outbound network traffic directed towards external IP addresses originating from internal endpoints attempting dynamic DNS registration/update processes referencing known provider name server names.
- **Detection Methods and Tools:** Network traffic analysis monitoring DDNS update requests. Organizations should verify with their managed DNS providers if protection mechanisms against this specific name server registration anomaly have been implemented.
## References
- Vendor advisories are not provided other than mentioning that two major providers have fixed the bug.
- Relevant links:
- Dynamic DNS Checker Service: `hxxps://dynamic-dns-checker[.]tools[.]wiz[.]io/`
- Black Hat Briefing: `hxxps://www[.]blackhat[.]com/us-21/briefings/schedule/#a-new-class-of-dns-vulnerabilities-affecting-many-dns-as-service-platforms-23563`
- Dan Kaminsky Reference: `hxxps://www[.]nytimes[.]com/2021/04/27/technology/daniel-kaminsky-dead[.]html`