CVE-2023-41329
DNS Rebinding vulnerability in wiremock-standalone (Maven)
What is CVE-2023-41329 About?
This vulnerability is a DNS Rebinding attack affecting the proxy mode of WireMock and its derivatives, stemming from a race condition during DNS resolution. Successful exploitation could allow redirection to prohibited domains, impacting the integrity of network restrictions. While specific impact is limited to redirection, the high complexity required due to the need for DNS server control makes it difficult to exploit.
Affected Software
- org.wiremock:wiremock-standalone
- <3.0.3
- org.wiremock:wiremock
- <3.0.3
- com.github.tomakehurst:wiremock-jre8
- <2.35.1
- com.github.tomakehurst:wiremock-jre8-standalone
- <2.35.1
- wiremock
- <2.6.1
Technical Details
The vulnerability lies in a race condition within WireMock's proxy mode when configured to use domain names for network restrictions. An attacker controlling a DNS server can exploit this by causing the DNS resolution for a permitted domain to expire in between the initial validation check and the actual outbound network request. During this window, the DNS server can rebind the domain to a prohibited IP address, allowing the request to proceed to a disallowed target. This circumvents the intended network restrictions, which rely on the initial DNS resolution, enabling requests to go to domains that were supposed to be blocked.
What is the Impact of CVE-2023-41329?
Successful exploitation may allow attackers to bypass configured network restrictions, potentially leading to unauthorized data access or interaction with prohibited internal or external services.
What is the Exploitability of CVE-2023-41329?
Exploiting this vulnerability is complex. It requires control over a DNS service that the target WireMock instance uses, allowing the attacker to manipulate DNS responses to induce a race condition. There are no authentication requirements for the vulnerability itself, but network access to the WireMock proxy is necessary. The exploit relies on a timing window between DNS validation and the actual network request, making precise execution challenging. The inherent design of DNS rebinding attacks typically involves remote access to trigger the malicious redirection. Risk factors include environments where WireMock's proxy mode is exposed and configured with domain-based network restrictions, especially if DNS resolution can be influenced by external parties.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-41329?
Available Upgrade Options
- wiremock
- <2.6.1 → Upgrade to 2.6.1
- org.wiremock:wiremock-standalone
- <3.0.3 → Upgrade to 3.0.3
- com.github.tomakehurst:wiremock-jre8
- <2.35.1 → Upgrade to 2.35.1
- org.wiremock:wiremock
- <3.0.3 → Upgrade to 3.0.3
- com.github.tomakehurst:wiremock-jre8-standalone
- <2.35.1 → Upgrade to 2.35.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/wiremock/wiremock
- https://github.com/wiremock/wiremock/security/advisories/GHSA-pmxq-pj47-j8j4
- https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses
- https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses
- https://osv.dev/vulnerability/GHSA-pmxq-pj47-j8j4
- https://github.com/wiremock/wiremock/security/advisories/GHSA-pmxq-pj47-j8j4
- https://nvd.nist.gov/vuln/detail/CVE-2023-41329
What are Similar Vulnerabilities to CVE-2023-41329?
Similar Vulnerabilities: CVE-2023-41327 , CVE-2018-7076 , CVE-2017-5674 , CVE-2017-8046 , CVE-2020-15967
