CVE-2021-23386
📋 TL;DR
CVE-2021-23386 is a memory disclosure vulnerability in the dns-packet npm package where uninitialized buffers can leak internal application memory over unencrypted DNS queries. Attackers can exploit this by sending crafted invalid domain names to expose sensitive data like encryption keys or session tokens. This affects any application using vulnerable versions of dns-packet for DNS query handling.
💻 Affected Systems
- dns-packet npm package
📦 What is this software?
Dns Packet by Dns Packet Project
Dns Packet by Dns Packet Project
⚠️ Risk & Real-World Impact
Worst Case
Full memory disclosure leading to exposure of sensitive data like API keys, passwords, or encryption secrets, potentially enabling further system compromise.
Likely Case
Partial memory disclosure exposing application state, configuration data, or user session information that could be used for reconnaissance or targeted attacks.
If Mitigated
Limited impact with proper network segmentation and monitoring, though some information leakage may still occur.
🎯 Exploit Status
Exploitation requires sending crafted DNS queries to vulnerable applications, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.2
Vendor Advisory: https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
Restart Required: Yes
Instructions:
1. Update package.json to require dns-packet version 5.2.2 or higher. 2. Run 'npm update dns-packet' or 'yarn upgrade dns-packet'. 3. Restart all affected applications and services.
🔧 Temporary Workarounds
Network Filtering
allBlock or filter DNS queries containing malformed domain names at network perimeter.
🧯 If You Can't Patch
- Implement strict input validation for domain names before passing to dns-packet
- Isolate vulnerable applications in segmented network zones with limited external access
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/dns-packet/package.json for version number. If version is below 5.2.2, the system is vulnerable.Check Version:
npm list dns-packet | grep dns-packetVerify Fix Applied:
Verify dns-packet version is 5.2.2 or higher after update and test with known malicious domain queries.📡 Detection & Monitoring
Log Indicators:
- Unusual DNS query patterns with malformed domain names
- Increased memory usage or unusual process behavior
Network Indicators:
- DNS queries containing unusually long or malformed domain names
- Repeated DNS queries to the same domain with variations
SIEM Query:
source="dns" AND (query contains ".." OR query contains "--" OR query length > 255)🔗 References
- https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
- https://hackerone.com/bugs?subject=user&%3Breport_id=968858
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
- https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
- https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
- https://hackerone.com/bugs?subject=user&%3Breport_id=968858
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
- https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
