Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sliver has a DNS C2 OTP Bypass Allows Unauthenticated Session Flooding and Denial of Service
Vulnerability Description
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Sliver 资源管理错误漏洞
Vulnerability Description
Sliver是Bishop Fox开源的一个开源的跨平台对手模拟/红队框架。可以被各种规模的组织用来执行安全测试。 Sliver 1.7.0之前版本存在资源管理错误漏洞,该漏洞源于DNS C2侦听器接受未经验证的TOTP引导消息且未清理会话,可能导致内存耗尽。
CVSS Information
N/A
Vulnerability Type
N/A