FixVibe
Covered by FixVibehigh

Netmaker Hardcoded DNS Key Usage Authentication Bypass (CVE-2023-32077)

Netmaker, a platform for creating networks with WireGuard, is vulnerable to unauthorized DNS API interaction prior to versions 0.17.1 and 0.18.6. This vulnerability stems from the use of a hardcoded DNS key, allowing unauthenticated attackers to access and manipulate DNS configurations.

CVE-2023-32077CWE-321CWE-798

Attacker Impact

An unauthenticated attacker can exploit this vulnerability to interact directly with Netmaker's DNS API endpoints [S1]. This allows unauthorized users to read, modify, or delete DNS configurations within the managed WireGuard network, potentially leading to traffic redirection, man-in-the-middle (MitM) attacks, or complete disruption of network routing [S1].

Root Cause

Prior to versions 0.17.1 and 0.18.6, Netmaker used a static, hardcoded cryptographic key for authenticating requests to its DNS API endpoints [S1][S2]. Because this key was identical across affected installations and embedded in the source, an attacker who knows the legacy key can bypass normal authorization for the DNS API [S2][S3].

Covered by FixVibe

FixVibe's verified active scan can confirm this exposure on authorized targets. The check looks for Netmaker-specific public service evidence, compares the DNS API's baseline unauthenticated response with a read-only authorization-boundary check, and reports only when the target returns DNS-record-shaped JSON from the protected path [S2][S3].

Findings are labeled as a confirmed exposure only when FixVibe verifies target-specific behavior. The finding evidence includes endpoint/status comparison, response shape, confidence, evidence posture, detection type, source quality, and what FixVibe did not verify. The check does not create, modify, or delete DNS records, and it does not claim the exact installed Netmaker version unless public version evidence is present.

Concrete Fixes

To remediate this vulnerability, administrators must upgrade their Netmaker installations to a patched version [S1][S2]:

  • Upgrade to version 0.18.6 or later, where the issue is fully resolved [S1][S2].
  • Alternatively, upgrade to version 0.17.1 [S1][S2]. If running version 0.17.1, administrators should follow the vendor's cleanup or key-rotation guidance to ensure legacy hardcoded keys are invalidated [S2][S3].
  • Configure a unique DNS API key from a server-side secret source, update any dependent nameserver/CoreDNS integration, restart the service, and review DNS API logs plus DNS records for unexpected reads or changes.