CVE-2024-0874: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

A vulnerability (CVE-2024-0874) was discovered in CoreDNS that could lead to invalid cache entries being returned due to incorrectly implemented caching. The issue was discovered by Petr Mensik from Red Hat and was publicly disclosed on April 25, 2024. The vulnerability affects CoreDNS installations and has been assigned a CVSS v3.1 base score of 5.3 (Medium) (Red Hat CVE).

The vulnerability stems from CoreDNS's handling of the CD (Checking Disabled) bit in DNS queries. When a query is made with the CD bit set, which disables DNSSEC validation at the remote server, CoreDNS would cache the response. Subsequently, when another query for the same resource is made without the CD bit set, CoreDNS would incorrectly return the cached response that was obtained with validation disabled, violating RFC 4035 requirements (GitHub Issue).

This vulnerability could allow an attacker to bypass DNSSEC validation by first querying with the CD bit set to cache an invalid response, and then subsequent queries without the CD bit would receive the same invalid cached response. This effectively undermines DNSSEC security protections for cached responses (Red Hat CVE).

The issue has been fixed in CoreDNS by implementing separate caches for queries with CD bit enabled and disabled. The fix was merged via pull request #6354. Users are advised to upgrade to patched versions available through their distribution channels. Red Hat has released fixes through multiple security advisories including RHSA-2024:0041, RHSA-2024:4850, RHSA-2024:6009, and RHSA-2024:6406 (GitHub PR).