Source: cve@mitre.org
The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
DeleGate versions 8.10.2 and earlier are vulnerable to a denial-of-service (DoS) attack. Attackers can send a crafted DNS packet containing a malformed compressed label, causing the server to enter an infinite loop, rendering it unavailable to legitimate users.
Step 1: Packet Crafting: The attacker crafts a malicious DNS packet. This packet contains a compressed DNS label with a label length byte that specifies an invalid offset. This offset points to a location within the packet that is either outside the packet's bounds or contains further invalid data.
Step 2: Packet Delivery: The attacker sends the crafted DNS packet to a DeleGate server.
Step 3: Packet Processing: The DeleGate server receives the packet and begins to parse it, including the compressed DNS label.
Step 4: Infinite Loop: When the server attempts to resolve the compressed label using the invalid offset, it enters an infinite loop. The server repeatedly attempts to dereference the invalid offset, consuming CPU resources and preventing the server from processing legitimate DNS requests.
Step 5: Denial of Service: The server becomes unresponsive to legitimate DNS queries, resulting in a denial-of-service condition.
The vulnerability lies within DeleGate's DNS implementation, specifically in how it handles compressed DNS labels. The flaw is triggered by a malformed DNS packet where the label length byte in a compressed label contains an incorrect offset. When the server attempts to resolve the label, it enters an infinite loop while attempting to dereference the invalid offset, consuming CPU resources and leading to a DoS. This is a classic example of a logic error leading to resource exhaustion, rather than a more severe vulnerability like a buffer overflow or code execution. The root cause is a failure to properly validate the offset value within the compressed DNS label, allowing the program to enter an endless loop.
This vulnerability is not directly associated with any specific APT groups or known malware campaigns. However, any system running vulnerable DeleGate versions could be targeted by opportunistic attackers. CISA KEV status: Not Listed.
Monitor network traffic for unusually large numbers of DNS queries, especially those with malformed or unusual characteristics.
Analyze DNS traffic for packets containing compressed labels with potentially invalid offsets. This can be done using network traffic analysis tools like Wireshark or tcpdump.
Monitor CPU usage on DeleGate servers. A sudden and sustained spike in CPU usage could indicate a DoS attack.
Review server logs for error messages related to DNS processing or infinite loops.
Upgrade to a patched version of DeleGate (8.10.3 or later).
Implement network-level filtering to block or rate-limit DNS traffic from untrusted sources.
Use a Web Application Firewall (WAF) or other security appliances to inspect and filter DNS traffic.
Regularly scan the network for vulnerable systems using vulnerability scanners.
Implement a defense-in-depth strategy, including intrusion detection and prevention systems (IDS/IPS).