[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] Advisory: Unauthenticated remote trigger of Hetzner's "Netscan" detection
CVSS v4.0 Score: 6 / Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Hetzner aims to detect portscans from within their network to targets
outside their network, especially to destinations not visible via BGP.
When their outbound scan detection triggers on a given customer IP
address the customer gets an email:
"Netscan detected from host ..."
If the customer does not react in time, the customer's source IP is
blocked from any further communication until the customer responds to
the report.
According to Hetzner the blocking is enforced after "manual
verification" only.
Vulnerability Description
=========================
An unauthenticated remote attacker, who is able to trigger outbound
packets from a given Hetzner customer source IP, can trigger the
described portscan detection and block a Hetzner customer's Internet
access if the customer does not respond to Hetzner in time.
There are many services that allow the provocation of outbound packets
by design, a few popular examples:
* SMTP: various outbound checks performed for incoming emails (SPF,
DKIM, DMARC, ...). The attacker can influence the target of outbound
destinations by sending emails from domains under their control.
* DNS: Recursive resolver are usually not directly exposed to the public
but other servers (SMTP, Webserver, ...) might use resolvers located
within the Hetzner network.
* Web Applikations can have features that allow users to trigger
outbound connections to arbitrary destinations. Examples:
* Link previews generated server side (for example on a fediverse server)
* Server-Side RSS Readers
* Server-Side Request Forgery (SSRF) weaknesses
* tor relays
It is NOT possible to exploit this without a service on the target
system by using source IP spoofing with source IPs
from prefixes not announced via BGP.
Impact
An unauthenticated remote attacker can - in the worst-case - block a
Hetzner customer's server Internet access and take all services offline
(denial of service) until the block is removed.
If a host has multiple source IP addresses only the actually used source
IP address is blocked.
The integrity and confidentiality of the system is NOT affected.
Timeline
========
* 2026-01-04: Advisory is sent to security@xxxxxxxxxxx - including the
intended release date of the advisory (2026-02-05).
* 2026-01-13: Asked Hetzner for an update via email
* 2026-01-27: Sent Advisory to bsi.bund.de
* 2026-01-28: Hetzner answered: According to Hetzner it is a customer
responsibility to deal with this.
* 2026-01-28: We asked Hetzner to clarify how their customers should
mitigate this risk if it is their responsibility (no answer).
* 2026-02-06: Reply from Hetzner stating that this can not be exploited
via source IP spoofing - which we did not claim.
* 2026-02-06: We offer a call to clarify the issue
* 2026-02-06: Hetzner reply: they will get back to us on 2026-02-10
* 2026-02-06: Advisory publication is postponed due to ongoing emails.
* 2026-02-10: Clarify that no source IP address spoofing is involved.
* 2026-02-12: Asked Hetzner if they have any further questions and if
they have any feedback on the advisory release date (no answer).
* 2026-03-01: Advisory is released.
Credits
========
We did not discover this and we do not take any credits for the
discovery of this issue.
This issue got discovered because the Netscan detection also got
triggered during BGP outages where some IP prefixes were no longer
visible via BGP. Some Hetzner customers were affected by these BGP
outages causing Netscan detections.
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx