It is possible to work around CVE-2017-15093 by disabling the ability
+
to alter the configuration via the API by setting 'api-config-dir' to
+
an empty value (default), or by marking the API read-only via the 'api-
+
readonly' setting.
Impact
+
A remote, unauthenticated attacker can inject Javascript code into the web interface, or can cause a denial of service via crafted DNSSEC signatures. An attacker in position of man-in-the-middle can also bypass DNSSEC validation via a crafted signature. In addition to that, a remote authenticated attacker with access to the API can inject unexpected directives into the configuration file.