GHSA-WXRW-GVG8-FQJP
Vulnerability from github – Published: 2026-02-06 22:52 – Updated: 2026-02-09 22:39
VLAI
Summary
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service
Details
Summary
The DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.
Vulnerable Component
server/c2/dns.go:84-90(EnforceOTPstored but not enforced in bootstrap)server/c2/dns.go:378-390(TOTPrequests routed directly to bootstrap)server/c2/dns.go:490-521(handleHelloallocates session without OTP validation)server/c2/dns.go:495(sessions.Storewith no lifecycle control in this path)client/command/jobs/dns.go:46-52(operator-facingEnforceOTPcontrol implies auth gate)implant/sliver/transports/dnsclient/dnsclient.go:896-900(otpMsgsendsTOTPwithID=0)protobuf/dnspb/dns.proto:22(documents TOTP inIDfield)
Attack Vector
- Network-accessible DNS listener
- No authentication required
- Low-complexity repeated DNS query loop
- Trigger path:
DNSMessageType_TOTPbootstrap handling
Proof of Concept
Preconditions
- DNS listener is reachable
- DNS C2 job is active
Reproduction Steps
- Send repeated DNS queries with a minimal protobuf message of type
TOTP. - Observe repeated session allocation/issuance behavior.
- Continue requests to increase active in-memory session state.
Example
while true; do
dig +short @<DNS_C2_IP> baa8.<parent-domain> A >/dev/null
done
baa8 is a base32 payload for a minimal TOTP-type protobuf message.
Observable Indicators
- Repeated bootstrap/session-allocation log entries from
handleHello - Rising memory usage in the Sliver server process
- Service slowdown or instability under sustained request volume
Impact
- Unauthenticated remote denial of service (availability)
- Resource exhaustion through unbounded session growth in DNS bootstrap path
- Estimated CVSS v3.1:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H(7.5 High)
Severity
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.11"
},
"package": {
"ecosystem": "Go",
"name": "github.com/bishopfox/sliver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25791"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T22:52:00Z",
"nvd_published_at": "2026-02-09T21:15:49Z",
"severity": "HIGH"
},
"details": "## Summary\nThe DNS C2 listener accepts unauthenticated `TOTP` bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when `EnforceOTP` is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.\n\n## Vulnerable Component\n- `server/c2/dns.go:84-90` (`EnforceOTP` stored but not enforced in bootstrap)\n- `server/c2/dns.go:378-390` (`TOTP` requests routed directly to bootstrap)\n- `server/c2/dns.go:490-521` (`handleHello` allocates session without OTP validation)\n- `server/c2/dns.go:495` (`sessions.Store` with no lifecycle control in this path)\n- `client/command/jobs/dns.go:46-52` (operator-facing `EnforceOTP` control implies auth gate)\n- `implant/sliver/transports/dnsclient/dnsclient.go:896-900` (`otpMsg` sends `TOTP` with `ID=0`)\n- `protobuf/dnspb/dns.proto:22` (documents TOTP in `ID` field)\n\n## Attack Vector\n- Network-accessible DNS listener\n- No authentication required\n- Low-complexity repeated DNS query loop\n- Trigger path: `DNSMessageType_TOTP` bootstrap handling\n\n## Proof of Concept\n### Preconditions\n- DNS listener is reachable\n- DNS C2 job is active\n\n### Reproduction Steps\n1. Send repeated DNS queries with a minimal protobuf message of type `TOTP`.\n2. Observe repeated session allocation/issuance behavior.\n3. Continue requests to increase active in-memory session state.\n\n### Example\n```bash\nwhile true; do\n dig +short @\u003cDNS_C2_IP\u003e baa8.\u003cparent-domain\u003e A \u003e/dev/null\ndone\n```\n\n`baa8` is a base32 payload for a minimal TOTP-type protobuf message.\n\n### Observable Indicators\n- Repeated bootstrap/session-allocation log entries from `handleHello`\n- Rising memory usage in the Sliver server process\n- Service slowdown or instability under sustained request volume\n\n## Impact\n- Unauthenticated remote denial of service (availability)\n- Resource exhaustion through unbounded session growth in DNS bootstrap path\n- Estimated CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` (**7.5 High**)",
"id": "GHSA-wxrw-gvg8-fqjp",
"modified": "2026-02-09T22:39:50Z",
"published": "2026-02-06T22:52:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25791"
},
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/commit/2b65089b27c553e79e69f1067cad1339e4f3d937"
},
{
"type": "PACKAGE",
"url": "https://github.com/BishopFox/sliver"
},
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/releases/tag/v1.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…