Full Report
At Black Hat on Wednesday, Wiz researchers disclosed a vulnerability in DNS hosting services that affects millions of corporate endpoints.
Analysis Summary
# Vulnerability: Dynamic DNS Leak Exposing Internal Network Data
## CVE Details
- CVE ID: Not explicitly provided in the context, referred to as a vulnerability affecting DNS hosting services. (Assuming naming convention based on disclosure)
- CVSS Score: Not explicitly provided.
- CWE: Related to improper configuration/handling of DNS records (Potentially CWE-20 or similar configuration weakness).
## Affected Systems
- Products: Windows Endpoints utilizing misconfigured Dynamic DNS (DDNS) services.
- Versions: Any configuration where Dynamic DNS settings allow internal traffic related to DDNS updates to leak externally via misconfigured DNS resolvers/SOA records.
- Configurations: Organizations using public DNS resolvers (like AWS Route53 or Google DNS) where the Service of Authority (SOA) records are improperly configured to point to active/publicly resolvable domains corresponding to internal networks.
## Vulnerability Description
A vulnerability, dubbed the Dynamic DNS Leak, affects Windows endpoints and arises from the improper configuration of Dynamic DNS (DDNS) settings on public DNS providers (specifically impacting the SOA record configuration). This flaw allows sensitive internal network traffic related to DDNS updates to leak outside the internal network boundary. Successful exploitation can reveal the organization's computer names, internal and external IP addresses, and employee names and locations.
## Exploitation
- Status: Potential for active exploitation risk if domain SOA records are misconfigured, though widespread active exploitation in the wild is not explicitly confirmed, the risk is high if the configuration is vulnerable.
- Complexity: Likely Low, as it involves analyzing published DNS records (SOA) and relying on common configuration oversight.
- Attack Vector: Network (via DNS queries/lookups).
## Impact
- Confidentiality: High (Exposure of internal hostnames, IPs, and employee details).
- Integrity: Low (Primarily an information disclosure vulnerability).
- Availability: Negligible.
## Remediation
### Patches
- **DNS Providers (Cloud Vendors):** AWS Route53 and Google have reportedly implemented fixes for the underlying nameserver hijacking issue they were responsible for.
- **Customer Responsibility:** No specific software patch is detailed; the fix relies on configuration changes.
### Workarounds
Organizations must review and properly configure their DNS resolvers/SOA records:
1. Configure SOA records on public DNS providers to point exclusively to an **invalid domain they control** or to a **valid internal Dynamic DNS server**.
2. Organizations whose SOA records are correctly configured are immune to this specific leak mechanism.
## Detection
- **Indicators of Compromise (IoCs):** Anomalous, expectedly internal DDNS update traffic being observed externally via DNS lookups related to the domain's SOA record.
- **Detection Methods and Tools:** Wiz has released a free online tool, the **Dynamic DNS Checker**, which tests the organization's domain SOA record configuration for misconfigurations that indicate vulnerability risk. Organizations should also verify their public DNS configuration against best practices for internal network segmentation and DDNS management.
## References
- Vendor Advisories: Mention of fixes implemented by AWS and Google.
- Relevant Links:
- Dynamic DNS Checker Tool: defanged-dynamic-dns-checker-tools-wiz-io
- Detailed Vulnerability Post: defanged-www-wiz-io-blog-black-hat-2021-dns-loophole-makes-nation-state-level-spying-as-easy-as-registering-a-domain