Horizon Alert
Summary of the vulnerability and why it matters
This issue in dnsdist could allow an attacker to cause denial of service or potentially access sensitive information. It occurs when custom code processes a specially crafted cached response, leading to an out-of-bounds read.
- This impacts systems handling DNS traffic.
- It can lead to crashes or data leaks.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker could exploit this vulnerability by sending crafted DNS requests that result in a malicious, out-of-bounds read in the packet cache. If custom Lua code is used to process cached responses, this read could lead to denial-of-service by crashing the server or potentially allow for information disclosure if the read accesses sensitive memory.
- Network access is required.
- Vulnerable to crafted DNS responses.
- Lua scripting must be enabled.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability allows for an out-of-bounds read when custom Lua code interacts with cached DNS responses. Because the affected component, dnsdist, often operates at the network edge, it is frequently exposed to external, unauthenticated network traffic, making it a prime target for attackers. While there are no immediate indicators of active exploitation, the critical nature and network exposure suggest a high likelihood of weaponization.
- Exposed perimeter service.
- No known exploit in the wild.
- Recently disclosed.
Priority actions
Operational Fix
Recommended remediation, mitigation, and detection steps
Prioritize isolating or taking offline PowerDNS dnsdist instances using custom Lua code that calls `getDomainListByAddress()` or `getAddressListByDomain()` on packet caches. This vulnerability, rated critical, allows for an out-of-bounds read via a crafted response.
- Update dnsdist to 1.9.13 or 2.0.4.
- Monitor network traffic for unusual DNS responses.
- Temporarily disable Lua features if patching is delayed.
