#VU38443 Cross-site request forgery in dnsdist - CVE-2017-7557

Cybersecurity Help s.r.o.

Published: 2017-08-22 | Updated: 2023-07-03

Vulnerability identifier: #VU38443

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-7557

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
dnsdist
Server applications / Other server solutions

Vendor: PowerDNS.COM B.V.

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation
Install update from vendor's website.

Vulnerable software versions

dnsdist: 1.1.0

External links
https://www.securityfocus.com/bid/100508
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for dnsdist

Cross-site request forgery in dnsdist

Fedora 26 update for dnsdist

Fedora 25 update for dnsdist

Fedora EPEL 7 update for dnsdist