Corgea LogoCorgea Security Hub

CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action

Learn about CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action), its security impact, exploitation methods, and prevention guidelines.

What is Reliance on Reverse DNS Resolution for a Security-Critical Action?

• Overview: Reliance on Reverse DNS Resolution for a Security-Critical Action refers to a vulnerability where a software product uses reverse DNS lookups to make security decisions, such as authentication. This approach is insecure because DNS names can be easily manipulated and do not guarantee the authenticity of the associated IP address.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by controlling or compromising a DNS server to provide false hostname information for a given IP address.
  • Common attack patterns include DNS cache poisoning, where attackers inject false DNS records into a DNS server's cache, or simply using a DNS server they legitimately control to provide misleading information.

• Security Impact:

  • Direct consequences include bypassing authentication mechanisms, logging incorrect hostnames, and potentially gaining unauthorized access to resources.
  • Potential cascading effects might involve hiding malicious activities, misleading security audits, and facilitating other attacks by masking the attacker's true identity.
  • Business impact can include data breaches, loss of sensitive information, reputational damage, and financial losses due to compromised systems.

• Prevention Guidelines:

  • Specific code-level fixes include avoiding reliance on reverse DNS for authentication or security-critical decisions and instead using more secure methods like IP whitelisting or certificate-based authentication.
  • Security best practices involve validating DNS responses against trusted sources, using DNSSEC to ensure DNS data integrity, and logging both IP addresses and hostnames for better audit trails.
  • Recommended tools and frameworks include employing network security tools that can detect and alert on suspicious DNS activities and using libraries that abstract DNS resolution securely.

Corgea can automatically detect and fix Reliance on Reverse DNS Resolution for a Security-Critical Action in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import socket

def is_trusted_client(client_ip):
    # Perform reverse DNS lookup on the client IP
    try:
        hostname = socket.gethostbyaddr(client_ip)[0]
        # Make a security decision based on the hostname
        return hostname.endswith(".trusted.com")
    except socket.herror:
        return False

# Example usage
client_ip = "192.0.2.1"
if is_trusted_client(client_ip):
    print("Access granted to trusted client.")
else:
    print("Access denied.")

Explanation:

  • Vulnerable lines {12-13}: The code performs a reverse DNS lookup on the client IP and makes a security decision based on the resulting hostname. This approach is vulnerable because DNS can be spoofed, meaning the IP address might not truly be associated with the hostname. An attacker could manipulate DNS responses to appear as a trusted domain.

How to fix Reliance on Reverse DNS Resolution for a Security-Critical Action?

To fix this vulnerability, instead of solely relying on reverse DNS for security decisions, we should verify that the IP address actually maps back to the hostname. This can be done by performing a forward DNS lookup on the hostname obtained from the reverse DNS process and ensuring the original IP address is present in the returned IP addresses. This additional step helps mitigate the risk of DNS spoofing.

Fixed Code Example

import socket

def is_trusted_client(client_ip):
    try:
        # Perform reverse DNS lookup on the client IP
        hostname = socket.gethostbyaddr(client_ip)[0]
        # Check if the hostname ends with the trusted domain
        if hostname.endswith(".trusted.com"):
            # Perform forward DNS lookup on the hostname
            resolved_ips = socket.gethostbyname_ex(hostname)[2]
            # Ensure the original IP is in the list of resolved IPs
            if client_ip in resolved_ips:
                return True
    except socket.herror:
        pass
    return False

# Example usage
client_ip = "192.0.2.1"
if is_trusted_client(client_ip):
    print("Access granted to trusted client.")
else:
    print("Access denied.")

Explanation:

  • Fixed lines {17-18}: After obtaining the hostname from the reverse DNS lookup, a forward DNS lookup is performed to get a list of IP addresses associated with that hostname. By verifying that the original client IP is in this list, we ensure that the hostname is genuinely associated with the client IP. This significantly reduces the risk of DNS spoofing attacks, as it confirms the integrity of the DNS resolution process.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action and get remediation guidance

Start for free and no credit card needed.