Domain and vulnerability knowledge base

What are name server and zone vulnerabilities?

Domain Name System, known as DNS, plays an important role by translating human-readable domain names such as security.gov.uk into IP addresses.

DNS name server and zone vulnerabilities are weaknesses in the systems that manage internet traffic. Attackers can exploit these flaws to target critical parts of the internet’s infrastructure, especially by taking advantage of how DNS works.

Remediation guidance:

• Name servers with private IPs
• Name servers that don’t provide A record for target domain name
• Name servers with invalid domain names
• Glue is required but not provided. No IPv4/IPv6 glue found on some authoritative or parent name servers
• Name servers not allowing TCP connections to be found
• Domain’s name server number doesn’t meet recommendations

What are dangling resource vulnerabilities?

Dangling resource vulnerabilities occur when system components, like DNS records, subdomains, or storage buckets, are not properly removed. These leftover elements can be hijacked by attackers to impersonate services or access sensitive data.

The most frequent issues involve DNS records that still point to services no longer in use. Attackers can register new services at those addresses and redirect traffic.

Subdomains are another high risk, if they’re not properly decommissioned, they can be reused to host fake websites that look legitimate, tricking users into sharing credentials or downloading malware.

Storage buckets and databases may also remain accessible after deletion, exposing sensitive files, backups, or configuration data that attackers can exploit.

Remediation guidance:

• DNS hijacking using a non-responding name server
• Expired MX or NS
• Domain pointing to non-existing page on a service
• Potential subdomain takeover
• CNAME chain ends in NXDOMAIN

What are email configuration and security vulnerabilities?

Email services rely heavily on DNS to work properly and stay secure. If your DNS settings are not secured, attackers can change your mail (MX) records and redirect emails to places they should not go.

Email security mechanisms like SPF, DKIM, and DMARC also depend on DNS records. If these are set up incorrectly, or not at all, it can make it easier for attackers to spoof your domain and send fake emails that look like they’re from you.

Even web-based protections like MTA-STS, which help secure email in transit, need DNS records to be published and correctly configured.

Remediation guidance:

• DMARC: CNAME record present along with DMARC TXT record
• DMARC: Invalid external reporting endpoint
• DMARC: Invalid policy syntax
• DMARC: Multiple policies detected
• DMARC: Policy found with incorrect host name
• SPF: DNS lookups over limit
• SPF: Include policy points to domain that does not exist
• SPF: Include policy points to a record that does not exist
• SPF: Include policy resulting in recursion
• SPF: Invalid policy syntax
• SPF: Legacy record type in use
• SPF: Multiple records detected

What are cryptographic failure vulnerabilities?

Cryptographic failure vulnerabilities happen when encryption is poorly implemented, uses weak keys, or relies on outdated methods. These flaws can give attackers a way to bypass security and access sensitive data.

Older systems often still use weak encryption algorithms that can now be broken using modern computing power. If encryption keys or certificates are mishandled, attackers can intercept and read secure communications in real time.

Once a key is compromised, encryption becomes useless. That’s why keys must be stored securely, rotated regularly, and protected with strong access controls like multi-factor authentication.

Keeping certificates and private keys safe is just as important as using strong encryption itself.

Remediation guidance:

• HTTP Strict Transport Security (HSTS) not set
• Weak or suboptimal cipher suites supported
• TLS_FALLBACK_SCSV not supported
• TLS 1.2 not supported
• SSL/TLS X.509 certificate expired
• SSL/TLS RC4 cipher suite enabled

What are security misconfiguration vulnerabilities?

Security misconfiguration vulnerabilities happen when systems or applications are set up with weak or incorrect security settings.

This often results from human error, either due to a lack of knowledge or rushing through setup without proper planning.

Common examples include leaving default usernames and passwords unchanged, enabling unnecessary features, or giving excessive access permissions.

These mistakes make it easier for attackers to find and exploit systems.

Other risks include leaving debugging tools active in live environments, which can expose sensitive information, and misconfigured cloud services that allow too much access.

Attackers often use automated tools to scan for these weaknesses and exploit them quickly.

Keeping systems properly configured and regularly reviewed helps reduce these risks and protect against attacks.

Remediation guidance:

• WordPress registration enabled
• PHPUnit XML configuration disclosure

What are vulnerable and outdated components?

Vulnerable and outdated components are a security risk because modern applications are built from many third-party libraries, frameworks, and modules.

The core problem lies in the use of components with known, publicly disclosed vulnerabilities, often identified by a Common Vulnerabilities and Exposures (CVE) number.

A single outdated component containing a vulnerability can expose the entire system to attack, leading to data breaches or complete compromise. Attackers frequently use automated tools to scan for these known flaws, making this an easy and common entry point.

Organisations should actively manage their software supply chain using a Software Composition Analysis (SCA) approach. This proactive management is critical to ensure that all software and operating systems are continuously kept up to date and secure.

Remediation guidance:

• CVE-2024-29059: .NET HTTP Remoting RCE

What are open port vulnerabilities?

Open port vulnerabilities happen when network services are left exposed without proper security controls. These ports act like unlocked doors, giving attackers a way into systems and sensitive data.

Common risks include database ports like MySQL, PostgreSQL, or MongoDB being accessible from the internet, often with weak or default passwords.

Remote access services like SSH, RDP, and Telnet are also targets for brute force attacks when left open to untrusted networks. Devices and systems that still use default settings, including admin usernames and passwords, are especially easy for attackers to exploit.

Attackers use open ports to scan and gather information about systems, such as software versions and potential weaknesses.

Every unnecessary open port increases the chance of a successful attack, making it vital to close unused ports, monitor network activity and secure configurations from the start.

Remediation guidance:

• Open port 21: File Transfer Protocol (FTP)
• Open port 23: Telnet
• Open port 135: Remote Procedure Call (RPC)
• Open port 389: Lightweight directory access protocol (LDAP)
• Open port 445: Server Message Block (SMB)
• Open port 512: Remote Execution (Rexec)
• Open port 631: Internet Printing Protocol (IPP)
• Open port 1433: Microsoft SQL
• Open port 1521: Oracle Database (DB)
• Open port 1900: Universal Plug and Play (UPnP)
• Open port 2049: Network File System
• Open port 5432: PostgreSQL
• Open port 6379: Redis
• Open port 8443: HTTPS
• Open port 11211: Memcached
• Open port 27017: MongoDB
• Open port 50000: IBM Tivoli