CVE-2018-14663 : Security Advisory and Response

A vulnerability has been discovered in PowerDNS DNSDist prior to version 1.3.3 that allows a remote attacker to manipulate DNS queries, potentially leading to unauthorized data passing through the DNS firewall undetected.

Understanding CVE-2018-14663

PowerDNS DNSDist vulnerability impacting versions prior to 1.3.3.

What is CVE-2018-14663?

The vulnerability enables a remote attacker to insert additional data into a DNS query, potentially bypassing DNS firewall protections.
Exploitation occurs when specific parameters are used during backend configuration.

The Impact of CVE-2018-14663

CVSS Base Score: 5.9 (Medium Severity)
Attack Vector: Network
Integrity Impact: High
The vulnerability poses a risk of unauthorized data reaching the backend undetected, compromising the DNS firewall's filtering capabilities.

Technical Details of CVE-2018-14663

PowerDNS DNSDist vulnerability details.

Vulnerability Description

The flaw allows an attacker to include additional data in a DNS query, potentially evading detection by DNSDist.

Affected Systems and Versions

Product: dnsdist
Vendor: [UNKNOWN]
Versions Affected: 1.3.3

Exploitation Mechanism

Attack Complexity: High
Privileges Required: None
Scope: Unchanged
The vulnerability can be exploited remotely without requiring privileges.

Mitigation and Prevention

Protecting systems from CVE-2018-14663.

Immediate Steps to Take

Update PowerDNS DNSDist to version 1.3.3 or later to mitigate the vulnerability.
Avoid using the 'useClientSubnet' or 'addXPF' parameters in backend configurations.

Long-Term Security Practices

Regularly monitor and audit DNS traffic for anomalies.
Implement network segmentation to limit the impact of potential breaches.
Stay informed about security advisories and updates from PowerDNS.

Patching and Updates

Apply patches and updates provided by PowerDNS to address security vulnerabilities.