CVE-2020-25684 — Improperly Implemented Security Check for Standard in Dnsmasq
Severity
3.7LOWNVD
EPSS
0.3%
top 50.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 20
Latest updateMay 24
Description
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a qu…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4
Affected Packages4 packages
Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33
Patches
🔴Vulnerability Details
4📋Vendor Advisories
7Cisco
▶
Red Hat▶
dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker↗2021-01-19
Microsoft▶
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending ↗2021-01-12
Microsoft▶
A flaw was found in dnsmasq before version 2.83. When receiving a query dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default a maximum of 150↗2021-01-12
💬Community
1Bugzilla▶
CVE-2020-25684 dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker↗2020-10-20