CVE-2023-30464 – This vulnerability in CoreDNS allows attackers ... (How to Fix)

Q: What is the severity of CVE-2023-30464?

CVE-2023-30464 has a CVSS score of 7.5 (HIGH). This vulnerability in CoreDNS allows attackers to perform DNS cache poisoning attacks using a birthday attack technique. Attackers can inject fake DNS responses, potentially redirecting users to malicious websites. Any organization running vulnerable CoreDNS versions is affected.

📋 TL;DR

This vulnerability in CoreDNS allows attackers to perform DNS cache poisoning attacks using a birthday attack technique. Attackers can inject fake DNS responses, potentially redirecting users to malicious websites. Any organization running vulnerable CoreDNS versions is affected.

💻 Affected Systems

Products:

CoreDNS

Versions: through 1.10.1

Operating Systems: All platforms running CoreDNS

Default Config Vulnerable: ⚠️ Yes

Notes: All CoreDNS deployments using default or custom configurations are vulnerable if running affected versions.

📦 What is this software?

Coredns by Coredns.io

View all CVEs affecting Coredns →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete DNS cache poisoning leading to widespread traffic redirection to attacker-controlled infrastructure, enabling credential theft, malware distribution, or service disruption.

🟠

Likely Case

Targeted DNS cache poisoning affecting specific domains, potentially redirecting users to phishing sites or intercepting sensitive communications.

🟢

If Mitigated

Limited impact with proper network segmentation, DNS security extensions, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to the DNS server and understanding of birthday attack techniques against DNS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.2 and later

Vendor Advisory: https://github.com/coredns/coredns/security/advisories/GHSA-5wvr-9jvp-8fpg

Restart Required: Yes

Instructions:

1. Update CoreDNS to version 1.10.2 or later. 2. Stop CoreDNS service. 3. Replace binary with patched version. 4. Restart CoreDNS service. 5. Verify functionality.

🔧 Temporary Workarounds

Enable DNS Security Extensions

all

Implement DNSSEC to validate DNS responses and prevent cache poisoning

# Configure DNSSEC in CoreDNS configuration file
# Add 'dnssec' plugin to zones requiring validation

Reduce Cache TTL

all

Lower DNS cache time-to-live values to reduce window for poisoning attacks

# In Corefile, set lower TTL values for cache plugin
cache {
    ttl 300
}

🧯 If You Can't Patch

Implement network segmentation to restrict access to DNS servers
Deploy intrusion detection systems to monitor for DNS poisoning attempts

🔍 How to Verify

Check if Vulnerable:

Check CoreDNS version with 'coredns -version' command. If version is 1.10.1 or earlier, system is vulnerable.

Check Version:

coredns -version

Verify Fix Applied:

After patching, run 'coredns -version' to confirm version is 1.10.2 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual DNS query patterns
Multiple failed DNS responses from same source
DNS responses with mismatched transaction IDs

Network Indicators:

Unexpected DNS response traffic
DNS queries with spoofed source IPs
High volume of DNS queries to same domain

SIEM Query:

source="dns.log" | stats count by query, response_code | where count > threshold

📊 Metadata

CVE ID: CVE-2023-30464

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-290

Published: September 18, 2024

Last Updated: July 10, 2025

🔗 References

https://gist.github.com/idealeer/e41c7fb3b661d4262d0b6f21e12168ba Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30464, you might also want to check these: