External DNS interaction

External DNS interaction

Risk: potentially

Description

User-controlled parameters have resulted in triggering a server-side DNS request. The ability to control the server side is not a vulnerability. However, it is a serious indication of potentially high-risk vulnerability.

An attacker may leverage this functionality to send requests to remote systems for denial of service attacks or exploit potential vulnerabilities remotely. It is also potentially possible to access internal systems protected with external network filtering.

Recommendation

Server-side triggered DNS requests might be the intended behavior. It is recommended to review the purpose of the service and evaluate the potential risks, like the participation in distributed denial of service (DDoS) attacks, and interaction with remote services.

If this functionality is not the intended behavior, it is recommended to disable the service if possible or enforce whitelist-based filtering blocking all unauthorized domains.

Links

• CWE-918: Server-Side Request Forgery (SSRF)
• CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

Standards

• PCI_STANDARDS:
  • REQ_1_2
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3