Severity
3.7LOW
EPSS
0.3%
top 45.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 20
Latest updateMay 24
Description
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forg…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4
Affected Packages4 packages
Also affects: Debian Linux 10.0, Fedora 32, 33
Patches
🔴Vulnerability Details
3📋Vendor Advisories
7Red Hat▶
dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker↗2021-01-19
Cisco
▶
Red Hat▶
dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker↗2021-01-19
Microsoft▶
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query dnsmasq checks in forward.c:reply_query() which is the forwarded query that matches the reply by only using↗2021-01-12
💬Community
1Bugzilla▶
CVE-2020-25685 dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker↗2020-10-20