CVE-2025-25188 - Hickory DNS: Security vulnerability in DNSSEC validation leads to misplacement of trust

Hickory DNS is a popular Rust-based DNS client, server, and resolver used by a wide range of systems. A recent security vulnerability (CVE-2025-25188), discovered in versions starting from .8. up to .24.2, and .25.-alpha. to .25.-alpha.4, impacts users who are relying on DNSSEC verification within the client library, stub resolver, or recursive resolver. This vulnerability poses a critical risk as the DNSSEC validation routines inadvertently lead to the misplacement of trust, allowing attackers to forge DNS records and compromise the system.

Vulnerability Details ##

This security issue arises due to the treatment of entire RRsets (Resource Record sets) of DNSKEY records as trusted once trust in one of the DNSKEYs has been established. Consequently, when a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys within that same zone will be inherently trusted to authenticate other records within that zone.

There is also a second variant of this vulnerability involving DS (Delegation Signer) records. In this case, if an authenticated DS record covers one DNSKEY, it leads to trust in signatures made by an unrelated DNSKEY within the same zone.

In simpler terms, this vulnerability makes it easier for attackers to forge authenticated DNS records, potentially resulting in unauthorized access or control over a system.

Below is an example of an affected code snippet from the Hickory DNS library

fn validate_dnskey_rrset(&self, rrset: &RRset) -> Result<SecureDns, ValidationError> {
    // Assume trust in a single DNSKEY
    let trusted_key = rrset.find_trusted_key(&self.trust_anchor)?;
    
    // Incorrectly trust all keys in the RRset
    for rdata in &rrset.rdatas {
        if let RData::DNSKEY(ref dnskey) = *rdata {
            self.delegation_zone.insert_trusted_key(dnskey);
        }
    }

    Ok(SecureDns::new())
}

How to Fix the Vulnerability ##

To address this security vulnerability (CVE-2025-25188), users must upgrade their Hickory DNS to version .24.3 or .25.-alpha.5. The issue has been fixed in these versions.

You can find the latest Hickory DNS releases at the following links

- Hickory DNS v.24.3
- Hickory DNS v.25.-alpha.5

References ##

For more information on this vulnerability (CVE-2025-25188) and its implications, you can refer to the following resources:
- Hickory DNS GitHub Repository
- CVE-2025-25188 - NIST National Vulnerability Database

Conclusion ##

In conclusion, the CVE-2025-25188 security vulnerability poses a serious risk for users of Hickory DNS who rely on DNSSEC verification. It is highly recommended that affected users upgrade to the fixed versions as soon as possible to mitigate any potential attacks. Stay vigilant and ensure the security of your systems by keeping your software up to date.

Timeline

Published on: 02/10/2025 18:15:35 UTC