cbcvebase.
CVE-2020-25682
published 2021-01-20

CVE-2020-25682: A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating…

PriorityP268high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
70.75%
99.3th percentile
A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandnsmasq< dnsmasq 2.83-1 (bookworm)dnsmasq 2.83-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrccm1_dnsmasq_2.85-1_on_cbl_mariner_1.0
thekelleysdnsmasq< 2.832.83
thekelleysdnsmasq
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.83-12.83-1
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.72.75-1ubuntu0.16.04.7
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.82.75-1ubuntu0.16.04.8
thekelleysdnsmasq>= 0 < 2.79-1ubuntu0.22.79-1ubuntu0.2
thekelleysdnsmasq>= 0 < 2.79-1ubuntu0.32.79-1ubuntu0.3
thekelleysdnsmasq>= 0 < 2.80-1.1ubuntu1.22.80-1.1ubuntu1.2
thekelleysdnsmasq>= 0 < 2.80-1.1ubuntu1.32.80-1.1ubuntu1.3

Detection & IOCsextracted from sources · hover to see the quote

pathrfc1035.c:extract_name()
urlhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a
  • The vulnerability is only triggerable when dnsmasq is compiled with the HAVE_DNSSEC flag AND DNSSEC is actively enabled at runtime (e.g. via --dnssec option). Systems without DNSSEC support compiled in (RHEL 5/6/7 stock packages) are not affected.
  • The attack vector requires the attacker to be able to create or inject valid DNS replies — either by controlling an upstream DNS server used in resolution, or by injecting packets on the network (e.g. guessing the DNS transaction ID and source port). Monitor for anomalous DNS reply traffic targeting dnsmasq resolvers.
  • If dnsmasq is operating as an Open Resolver (accepting requests from the whole Internet), exploitation requires no user interaction. Audit dnsmasq deployments for open-resolver configuration as a high-risk indicator.
  • This CVE is part of the 'DNSpooq' vulnerability cluster disclosed January 19, 2021. Detections or threat intel referencing DNSpooq should be correlated with this CVE.
  • Cisco Bug IDs CSCvv83232, CSCvw00918, and CSCvx17339 track affected Cisco products. Use these IDs to identify vulnerable Cisco devices in the environment.
  • ·Vulnerability only manifests when dnsmasq is compiled with DNSSEC support (HAVE_DNSSEC) AND DNSSEC is enabled at runtime. RHEL 5, 6, and 7 stock dnsmasq packages are NOT affected because they are not compiled with DNSSEC support.
  • ·The only known mitigation (short of patching to dnsmasq 2.83+) is to disable DNSSEC by removing the --dnssec command line option or the dnssec option from the dnsmasq configuration file.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:N/AC:M/Au:N/C:P/I:P/A:C
osv8.1HIGH
vendor_cisco8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.