Summary The CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods. This can effectively cause a denial of service for DNS updates/changes to affected services. Details In plugin/etcd/etcd.go, the TTL() function casts the 64-bit etcd lease ID to a uint32 and uses it as the TTL: go func (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 { etcdTTL := uint32(kv.Lease) // BUG: Lease ID != TTL duration // … rest of function uses etcdTTL as actual TTL } Lease IDs are identifiers, not durations. Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years. This enables cache pinning attacks, such as: Attacker has etcd write access (compromised service account, misconfigured RBAC/TLS, exposed etcd, insider). Attacker writes/updates a key and attaches any lease (the actual lease duration is irrelevant; the ID is misused). CoreDNS serves the record with an extreme TTL; downstream resolvers/clients cache it for a very long time. Even after fixing/deleting the key (or restarting CoreDNS), clients continue to use the cached answer until their caches expire or enforce their own TTL caps. Some resolvers implement TTL caps, but values and defaults vary widely and are not guaranteed. PoC Launch etcd: bash etcd –data-dir ./etcd-data –listen-client-urls http://127.0.0.1:2379 …Read More