cbcvebase.
CVE-2020-25681
published 2021-01-20

CVE-2020-25681: A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data…

PriorityP269high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
81.19%
99.6th percentile
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandnsmasq< dnsmasq 2.83-1 (bookworm)dnsmasq 2.83-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrccm1_dnsmasq_2.85-1_on_cbl_mariner_1.0
thekelleysdnsmasq< 2.832.83
thekelleysdnsmasq
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.72.75-1ubuntu0.16.04.7
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.82.75-1ubuntu0.16.04.8
thekelleysdnsmasq>= 0 < 2.79-1ubuntu0.22.79-1ubuntu0.2
thekelleysdnsmasq>= 0 < 2.79-1ubuntu0.32.79-1ubuntu0.3
thekelleysdnsmasq>= 0 < 2.80-1.1ubuntu1.22.80-1.1ubuntu1.2
thekelleysdnsmasq>= 0 < 2.80-1.1ubuntu1.32.80-1.1ubuntu1.3

Detection & IOCsextracted from sources · hover to see the quote

processdnsmasq --dnssec
  • The vulnerable function is sort_rrset() in dnssec.c; monitor for heap-based buffer overflows triggered via crafted DNS replies with manipulated RDLENGTH fields in RRSet responses when DNSSEC validation is enabled.
  • The overflow is triggered when RDLENGTH in a DNS reply is attacker-controlled; detect anomalously large or malformed RDLENGTH values in DNS responses directed at dnsmasq instances with DNSSEC enabled.
  • Exploitation requires dnsmasq compiled with HAVE_DNSSEC flag and DNSSEC enabled at runtime; audit deployments for the --dnssec flag or 'dnssec' option in dnsmasq configuration files as a prerequisite indicator.
  • Attack vector includes DNS cache poisoning via guessed transaction ID and source port; monitor for high-rate DNS response injection attempts (ID/port brute-force) targeting dnsmasq resolvers, consistent with the DNSpooq campaign.
  • This vulnerability is part of the 'DNSpooq' disclosure set; correlate detections with other DNSpooq CVEs (CVE-2020-25681 through related IDs) and Cisco Bug IDs CSCvv83232, CSCvw00918, CSCvx17339.
  • ·Vulnerability only affects dnsmasq instances compiled with HAVE_DNSSEC and running with DNSSEC enabled; RHEL 5, 6, and 7 ship dnsmasq without DNSSEC support and are not affected.
  • ·Fixed in dnsmasq version 2.83; versions prior to 2.83 with DNSSEC enabled are vulnerable.
  • ·OpenShift/OSD v4 uses CoreDNS (via the DNS operator) instead of dnsmasq and is not affected; OSD v3 uses dnsmasq on all masters and nodes and may be affected.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:N/AC:M/Au:N/C:P/I:P/A:C
osv8.1HIGH
vendor_cisco8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.