CWE-350 Detail

CWE-350

Reliance on Reverse DNS Resolution for a Security-Critical Action
Draft
2006-07-19 00:00 +00:00
2023-06-29 00:00 +00:00

Alerte pour un CWE

Stay informed of any changes for a specific CWE.
Alert management

Reliance on Reverse DNS Resolution for a Security-Critical Action

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

Extended Description

Since DNS names can be easily spoofed or misreported, and it may be difficult for the product to detect if a trusted DNS server has been compromised, DNS names do not constitute a valid authentication mechanism.

When the product performs a reverse DNS resolution for an IP address, if an attacker controls the DNS server for that IP address, then the attacker can cause the server to return an arbitrary hostname. As a result, the attacker may be able to bypass authentication, cause the wrong hostname to be recorded in log files to hide activities, or perform other attacks.

Attackers can spoof DNS names by either (1) compromising a DNS server and modifying its records (sometimes called DNS cache poisoning), or (2) having legitimate control over a DNS server associated with their IP address.

Informations

Modes Of Introduction

Architecture and Design

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Note: Malicious users can fake authentication information by providing false DNS information.

Observed Examples

Reference Description
CVE-2001-1488Does not do double-reverse lookup to prevent DNS spoofing.
CVE-2001-1500Does not verify reverse-resolved hostnames in DNS.
CVE-2000-1221Authentication bypass using spoofed reverse-resolved DNS hostnames.
CVE-2002-0804Authentication bypass using spoofed reverse-resolved DNS hostnames.
CVE-2001-1155Filter does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.
CVE-2004-0892Reverse DNS lookup used to spoof trusted content in intermediary.
CVE-2003-0981Product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.

Potential Mitigations

Phases : Architecture and Design
Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.
Phases : Implementation
Perform proper forward and reverse DNS lookups to detect DNS spoofing.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Rationale : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-142 DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-275 DNS Rebinding
An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary.
CAPEC-73 User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-89 Pharming
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.

Notes

CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.

References

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Submission

Name Organization Date Date Release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-05-27 +00:00 updated Relationships
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2013-06-23 +00:00 CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates.
CWE Content Team MITRE 2013-07-17 +00:00 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Type
CWE Content Team MITRE 2014-02-18 +00:00 updated Description, Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-05-03 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2022-10-13 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes