CVE-2020-25684
published 2021-01-20CVE-2020-25684: A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply…
PriorityP421low3.7CVSS 3.1
AVNACHPRNUINSUCNILAN
EPSS
4.04%
89.3th percentile
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arista | eos | >= 4.21 < 4.21.14m | 4.21.14m |
| arista | eos | >= 4.22 < 4.22.9m | 4.22.9m |
| arista | eos | >= 4.23 < 4.23.7m | 4.23.7m |
| arista | eos | >= 4.24 < 4.24.5m | 4.24.5m |
| arista | eos | >= 4.25 < 4.25.2f | 4.25.2f |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dnsmasq | < dnsmasq 2.83-1 (bookworm) | dnsmasq 2.83-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cm1_dnsmasq_2.85-1_on_cbl_mariner_1.0 | — | — |
| thekelleys | dnsmasq | < 2.83 | 2.83 |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | >= 0 < 2.83-1 | 2.83-1 |
| thekelleys | dnsmasq | >= 0 < 2.83-1 | 2.83-1 |
| thekelleys | dnsmasq | >= 0 < 2.83-1 | 2.83-1 |
| thekelleys | dnsmasq | >= 0 < 2.83-1 | 2.83-1 |
| thekelleys | dnsmasq | >= 0 < 2.75-1ubuntu0.16.04.7 | 2.75-1ubuntu0.16.04.7 |
| thekelleys | dnsmasq | >= 0 < 2.75-1ubuntu0.16.04.8 | 2.75-1ubuntu0.16.04.8 |
| thekelleys | dnsmasq | >= 0 < 2.79-1ubuntu0.2 | 2.79-1ubuntu0.2 |
| thekelleys | dnsmasq | >= 0 < 2.79-1ubuntu0.3 | 2.79-1ubuntu0.3 |
| thekelleys | dnsmasq | >= 0 < 2.80-1.1ubuntu1.2 | 2.80-1.1ubuntu1.2 |
| thekelleys | dnsmasq | >= 0 < 2.80-1.1ubuntu1.3 | 2.80-1.1ubuntu1.3 |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv3.7LOW
vendor_cisco8.1HIGH
vendor_debian3.7LOW
vendor_msrc3.7LOW
vendor_redhat3.7LOW
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
dnsmasq by Simon Kelley (Update A)
cisa_ics·2021-03-09·CVSS 8.1
[HIGH] dnsmasq by Simon Kelley (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
dnsmasq by Simon Kelley (Update A)
Last RevisedMarch 09, 2021
Alert CodeICSA-21-019-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.1
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: dnsmasq by Simon Kelley
- Equipment: dnsmasq
- Vulnerabilities: Heap-based Buffer Overflow, Insufficient Verification of Data Authenticity, Use of a Broken or Risky Cryptographic Algorithm
CISA is aware of a public report, known as “DNSpooq” that details vulnerabilities found in dnsmasq, a prevalent lightweight DNS and DHCP server developed and maintained by Simon Kelley. CISA is i
Ubuntu
Dnsmasq regression
vendor_ubuntu·2021-02-24·CVSS 3.7
[LOW] Dnsmasq regression
Title: Dnsmasq regression
Summary: USN-4698-1 introduced regressions in Dnsmasq.
USN-4698-1 fixed vulnerabilities in Dnsmasq. The updates introduced
regressions in certain environments related to issues with multiple
queries, and issues with retries. This update fixes the problem.
Original advisory details:
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
memory when sorting RRsets. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2020-25681, CVE-2020-25687)
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
extracting certain names. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
Red Hat
dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker
vendor_redhat·2021-01-19·CVSS 3.7
CVE-2020-25685 [LOW] CWE-326 dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker
dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw co
Cisco
Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021
vendor_cisco·2021-01-19·CVSS 8.1
CVE-2020-25681 [HIGH] CWE-340 Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021
Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021
A set of previously unknown vulnerabilities in the DNS forwarder implementation of dnsmasq were disclosed on January 19, 2021. The vulnerabilities are collectively known as DNSpooq.
Exploitation of these vulnerabilities could result in remote code execution or denial of service (DoS), or may allow an attacker to more easily forge DNS answers that can poison DNS caches, depending on the specific vulnerability.
Multiple Cisco products are affected by these vulnerabilities.
Cisco will release software updates that address these vulnerabilities. Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of
Red Hat
dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker
vendor_redhat·2021-01-19·CVSS 3.7
CVE-2020-25686 [LOW] CWE-290 dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker
dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is
Red Hat
dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker
vendor_redhat·2021-01-19·CVSS 3.7
CVE-2020-25684 [LOW] CWE-358 dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker
dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack comple
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2021-01-19·CVSS 3.7
CVE-2020-25684 [LOW] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
memory when sorting RRsets. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2020-25681, CVE-2020-25687)
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
extracting certain names. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2020-25682, CVE-2020-25683)
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly
implemented address/port checks. A remote attacker could use this issue to
perform a cache poisoning attack.
Microsoft
A flaw was found in dnsmasq before version 2.83. When receiving a query dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default a maximum of 150
vendor_msrc·2021-01-12·CVSS 3.7
CVE-2020-25686 [LOW] CWE-358 A flaw was found in dnsmasq before version 2.83. When receiving a query dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default a maximum of 150
A flaw was found in dnsmasq before version 2.83. When receiving a query dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default a maximum of 150 pending queries can be sent to upstream servers so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is
Microsoft
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in forward.c:reply_query() which is the forwarded query that matches the reply by only using
vendor_msrc·2021-01-12·CVSS 3.7
CVE-2020-25685 [LOW] CWE-326 A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in forward.c:reply_query() which is the forwarded query that matches the reply by only using
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in forward.c:reply_query() which is the forwarded query that matches the reply by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452 which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of
Microsoft
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending
vendor_msrc·2021-01-12·CVSS 3.7
CVE-2020-25684 [LOW] CWE-358 A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However it does not use the address/port to retrieve the exact forwarded query substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452 which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
FAQ:
Debian
CVE-2020-25684: dnsmasq - A flaw was found in dnsmasq before version 2.83. When getting a reply from a for...
vendor_debian·2020·CVSS 3.7
CVE-2020-25684 [LOW] CVE-2020-25684: dnsmasq - A flaw was found in dnsmasq before version 2.83. When getting a reply from a for...
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
S
Debian
CVE-2020-25686: dnsmasq - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq...
vendor_debian·2020·CVSS 3.7
CVE-2020-25686 [LOW] CVE-2020-25686: dnsmasq - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq...
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
Scope: local
bookworm: resolved (fixed in 2.83-1)
bullseye: resolved (fixed in 2.83-1)
fo
Debian
CVE-2020-25685: dnsmasq - A flaw was found in dnsmasq before version 2.83. When getting a reply from a for...
vendor_debian·2020·CVSS 3.7
CVE-2020-25685 [LOW] CVE-2020-25685: dnsmasq - A flaw was found in dnsmasq before version 2.83. When getting a reply from a for...
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complex
Cisco
Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021
vendor_cisco·CVSS 3.1
CVE-2020-25684 Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021
CVE-2020-25684: Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021
A set of previously unknown vulnerabilities in the DNS forwarder implementation of dnsmasq were disclosed on January 19, 2021. The vulnerabilities are collectively known as DNSpooq . Exploitation of these vulnerabilities could result in remote code execution or denial of service (DoS), or may allow an attacker to more easily forge DNS answers that can poison DNS caches, depending on the specific vulnerability. Multiple Cisco products are affected by these vulnerabilities. Cisco will release software updates that address these vulnerabilities. Any
CVSS: 3.1
CWE: CWE-340, CWE-340
Bug IDs: CSCvv83232, CSCvw00918, CSCvx17339, CSCvv83232, CSCvw00918
GHSA
GHSA-9xp3-mp9c-47rf: A flaw was found in dnsmasq before version 2
ghsa_unreviewed·2022-05-24·CVSS 3.7
CVE-2020-25686 [LOW] CWE-290 GHSA-9xp3-mp9c-47rf: A flaw was found in dnsmasq before version 2
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
GHSA
GHSA-xqvc-9mc9-4fgx: A flaw was found in dnsmasq before version 2
ghsa_unreviewed·2022-05-24·CVSS 3.7
CVE-2020-25684 [LOW] CWE-358 GHSA-xqvc-9mc9-4fgx: A flaw was found in dnsmasq before version 2
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
GHSA
GHSA-9gxq-wfg7-72x4: A flaw was found in dnsmasq before version 2
ghsa_unreviewed·2022-05-24·CVSS 3.7
CVE-2020-25685 [LOW] CWE-326 GHSA-9gxq-wfg7-72x4: A flaw was found in dnsmasq before version 2
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complex
OSV
dnsmasq regression
osv·2021-02-24·CVSS 3.7
[LOW] dnsmasq regression
dnsmasq regression
USN-4698-1 fixed vulnerabilities in Dnsmasq. The updates introduced
regressions in certain environments related to issues with multiple
queries, and issues with retries. This update fixes the problem.
Original advisory details:
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
memory when sorting RRsets. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2020-25681, CVE-2020-25687)
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
extracting certain names. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2020-25682, CVE-2020-25683)
Moshe Kol an
OSV
CVE-2020-25685: A flaw was found in dnsmasq before version 2
osv·2021-01-20·CVSS 3.7
CVE-2020-25685 [LOW] CVE-2020-25685: A flaw was found in dnsmasq before version 2
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complex
OSV
CVE-2020-25684: A flaw was found in dnsmasq before version 2
osv·2021-01-20·CVSS 3.7
CVE-2020-25684 [LOW] CVE-2020-25684: A flaw was found in dnsmasq before version 2
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
OSV
CVE-2020-25686: A flaw was found in dnsmasq before version 2
osv·2021-01-20·CVSS 3.7
CVE-2020-25686 [LOW] CVE-2020-25686: A flaw was found in dnsmasq before version 2
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
OSV
dnsmasq vulnerabilities
osv·2021-01-19·CVSS 3.7
CVE-2020-25681 [LOW] dnsmasq vulnerabilities
dnsmasq vulnerabilities
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
memory when sorting RRsets. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2020-25681, CVE-2020-25687)
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled
extracting certain names. A remote attacker could use this issue to cause
Dnsmasq to hang, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2020-25682, CVE-2020-25683)
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly
implemented address/port checks. A remote attacker could use this issue to
perform a cache poisoning attack. (CVE-2020-25684)
Moshe Kol and Shlomi Oberman discovered that
No detection rules found.
No public exploits indexed.
Unit42
Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
blogs_unit42·2021-03-08
Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
## Executive Summary
DNS masquerade (dnsmasq) is a widely used open source DNS resolver. While one might not be familiar with dnsmasq by name, it is used by many projects and hardware firmwares around the world, from Kubernetes to routers and other products.
Over the years, multiple critical vulnerabilities have been found in dnsmasq. Recently, security researchers discovered new issues that continue to make dnsmasq vulnerable. These vulnerabilities can lead to DNS cache poisoning, denial of service (DoS) and possibly remote code execution (RCE). In this blog, I will review these vulnerabilities in dnsmasq, with a deep dive on DNS cache poisoning. I will also cover the effect such issues have on cloud products such as Kubernetes.
Palo Alto Networks customers are protected from the attac
Unit42
Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
blogs_unit42·2021-03-08
Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
Threat Research Center
Threat Research
DNS
## Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
Daniel Prizmant
Published: March 8, 2021
DNS
Threat Research
Vulnerabilities
CoreDNS
Dnsmasq
History
Kube-dns
## Executive Summary
DNS masquerade (dnsmasq) is a widely used open source DNS resolver. While one might not be familiar with dnsmasq by name, it is used by many projects and hardware firmwares around the world , from Kubernetes to routers and other products.
Over the years, multiple critical vulnerabilities have been found in dnsmasq. Recently, security researchers discovered new issues that continue to make dnsmasq vulnerable. These vulnerabilities can lead to DNS cache poisoning, denial of service (DoS) and possibly remote code execution (RCE).
Tenable
DNSpooq: Seven Vulnerabilities Identified in dnsmasq
blogs_tenable·2021-01-20
DNSpooq: Seven Vulnerabilities Identified in dnsmasq
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2020-25684 dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker
bugzilla·2020-10-20·CVSS 3.7
CVE-2020-25684 [LOW] CVE-2020-25684 dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker
CVE-2020-25684 dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker
When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query() if the reply destination address/port is one of those used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies the attributes of a query that all must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack.
Discussion:
OSD3 are using dnsmasq which is shipped with rhel-7, no any security wrapping
https://bugzilla.redhat.com/show_bug.cgi?id=1889686https://lists.debian.org/debian-lts-announce/2021/03/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/https://security.gentoo.org/glsa/202101-17https://www.arista.com/en/support/advisories-notices/security-advisories/12135-security-advisory-61https://www.debian.org/security/2021/dsa-4844https://www.jsof-tech.com/disclosures/dnspooq/https://bugzilla.redhat.com/show_bug.cgi?id=1889686https://lists.debian.org/debian-lts-announce/2021/03/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/https://security.gentoo.org/glsa/202101-17https://www.arista.com/en/support/advisories-notices/security-advisories/12135-security-advisory-61https://www.debian.org/security/2021/dsa-4844https://www.jsof-tech.com/disclosures/dnspooq/https://www.kb.cert.org/vuls/id/434904
2021-01-20
Published