CVE-2020-25682
dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Se encontró un fallo en dnsmasq versiones anteriores a 2.83. Se detectó una vulnerabilidad de desbordamiento del búfer en la manera en que dnsmasq extrae nombres de paquetes DNS antes de validarlos con datos DNSSEC. Un atacante en la red, que puede crear respuestas DNS válidas, podría usar este fallo para causar un desbordamiento de datos arbitrarios en una memoria asignada de la pila, posiblemente ejecutando código en la máquina. El fallo está en la función rfc1035.c:extract_name(), que escribe datos en la memoria apuntada por el nombre asumiendo que los bytes MAXDNAME*2 están disponibles en el búfer. Sin embargo, en algunas rutas de ejecución de código, es posible que la función extract_name() pasaba un desplazamiento del búfer base, reduciendo así, en la práctica, el número de bytes disponibles que se pueden escribir en el búfer. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema
A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-09-16 CVE Reserved
- 2021-01-19 CVE Published
- 2024-08-04 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-122: Heap-based Buffer Overflow
- CWE-787: Out-of-bounds Write
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html | Mailing List | |
https://www.jsof-tech.com/disclosures/dnspooq | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1882014 | 2021-01-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Thekelleys Search vendor "Thekelleys" | Dnsmasq Search vendor "Thekelleys" for product "Dnsmasq" | < 2.83 Search vendor "Thekelleys" for product "Dnsmasq" and version " < 2.83" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
|