GHSA-WXRW-GVG8-FQJP

Vulnerability from github – Published: 2026-02-06 22:52 – Updated: 2026-02-09 22:39
VLAI
Summary
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service
Details

Summary

The DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.

Vulnerable Component

  • server/c2/dns.go:84-90 (EnforceOTP stored but not enforced in bootstrap)
  • server/c2/dns.go:378-390 (TOTP requests routed directly to bootstrap)
  • server/c2/dns.go:490-521 (handleHello allocates session without OTP validation)
  • server/c2/dns.go:495 (sessions.Store with no lifecycle control in this path)
  • client/command/jobs/dns.go:46-52 (operator-facing EnforceOTP control implies auth gate)
  • implant/sliver/transports/dnsclient/dnsclient.go:896-900 (otpMsg sends TOTP with ID=0)
  • protobuf/dnspb/dns.proto:22 (documents TOTP in ID field)

Attack Vector

  • Network-accessible DNS listener
  • No authentication required
  • Low-complexity repeated DNS query loop
  • Trigger path: DNSMessageType_TOTP bootstrap handling

Proof of Concept

Preconditions

  • DNS listener is reachable
  • DNS C2 job is active

Reproduction Steps

  1. Send repeated DNS queries with a minimal protobuf message of type TOTP.
  2. Observe repeated session allocation/issuance behavior.
  3. Continue requests to increase active in-memory session state.

Example

while true; do
  dig +short @<DNS_C2_IP> baa8.<parent-domain> A >/dev/null
done

baa8 is a base32 payload for a minimal TOTP-type protobuf message.

Observable Indicators

  • Repeated bootstrap/session-allocation log entries from handleHello
  • Rising memory usage in the Sliver server process
  • Service slowdown or instability under sustained request volume

Impact

  • Unauthenticated remote denial of service (availability)
  • Resource exhaustion through unbounded session growth in DNS bootstrap path
  • Estimated CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High)
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.11"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bishopfox/sliver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T22:52:00Z",
    "nvd_published_at": "2026-02-09T21:15:49Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nThe DNS C2 listener accepts unauthenticated `TOTP` bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when `EnforceOTP` is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.\n\n## Vulnerable Component\n- `server/c2/dns.go:84-90` (`EnforceOTP` stored but not enforced in bootstrap)\n- `server/c2/dns.go:378-390` (`TOTP` requests routed directly to bootstrap)\n- `server/c2/dns.go:490-521` (`handleHello` allocates session without OTP validation)\n- `server/c2/dns.go:495` (`sessions.Store` with no lifecycle control in this path)\n- `client/command/jobs/dns.go:46-52` (operator-facing `EnforceOTP` control implies auth gate)\n- `implant/sliver/transports/dnsclient/dnsclient.go:896-900` (`otpMsg` sends `TOTP` with `ID=0`)\n- `protobuf/dnspb/dns.proto:22` (documents TOTP in `ID` field)\n\n## Attack Vector\n- Network-accessible DNS listener\n- No authentication required\n- Low-complexity repeated DNS query loop\n- Trigger path: `DNSMessageType_TOTP` bootstrap handling\n\n## Proof of Concept\n### Preconditions\n- DNS listener is reachable\n- DNS C2 job is active\n\n### Reproduction Steps\n1. Send repeated DNS queries with a minimal protobuf message of type `TOTP`.\n2. Observe repeated session allocation/issuance behavior.\n3. Continue requests to increase active in-memory session state.\n\n### Example\n```bash\nwhile true; do\n  dig +short @\u003cDNS_C2_IP\u003e baa8.\u003cparent-domain\u003e A \u003e/dev/null\ndone\n```\n\n`baa8` is a base32 payload for a minimal TOTP-type protobuf message.\n\n### Observable Indicators\n- Repeated bootstrap/session-allocation log entries from `handleHello`\n- Rising memory usage in the Sliver server process\n- Service slowdown or instability under sustained request volume\n\n## Impact\n- Unauthenticated remote denial of service (availability)\n- Resource exhaustion through unbounded session growth in DNS bootstrap path\n- Estimated CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` (**7.5 High**)",
  "id": "GHSA-wxrw-gvg8-fqjp",
  "modified": "2026-02-09T22:39:50Z",
  "published": "2026-02-06T22:52:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25791"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BishopFox/sliver/commit/2b65089b27c553e79e69f1067cad1339e4f3d937"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BishopFox/sliver"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BishopFox/sliver/releases/tag/v1.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…