GHSA-gx3x-vq4p-mhhv

Impact

The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS.

An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller.

The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.

Patches

The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing.

cert-manager versions prior to v1.18.0 are unaffected.

Workarounds

• Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted and modified.
  • Note that DNS-over-HTTPS does not prevent the risk of an attacker-controlled authoritative DNS server.

Resources

• Fix for cert-manager 1.18: https://github.com/cert-manager/cert-manager/pull/8467
• Fix for cert-manager 1.19: https://github.com/cert-manager/cert-manager/pull/8468
• Fix for master branch: https://github.com/cert-manager/cert-manager/pull/8469

Credits

Huge thanks to Oleh Konko (@1seal) for reporting the issue, providing a detailed PoC and an initial patch!