CVE-2020-25684
dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
Se encontró un fallo en dnsmasq versiones anteriores a 2.83. Al obtener una respuesta de una consulta reenviada, dnsmasq comprueba en forward.c:reply_query() si la dirección y puerto de destino de la respuesta es utilizado por las consultas reenviadas pendientes. Sin embargo, no usa la dirección y puerto para recuperar la consulta reenviada exacta, lo que reduce sustancialmente la cantidad de intentos que un atacante en la red tendría que realizar para falsificar una respuesta y lograr que dnsmasq la acepte. Este problema contrasta con RFC5452, que especifica los atributos de una consulta que deben ser usados para hacer coincidir una respuesta. Este fallo permite a un atacante realizar un ataque de envenenamiento de caché de DNS. Si está encadenado con CVE-2020-25685 o CVE-2020-25686, se reduce la complejidad del ataque de un ataque con éxito. La mayor amenaza de esta vulnerabilidad es la integridad de los datos
A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
USN-4698-1 fixed vulnerabilities in Dnsmasq. The updates introduced regressions in certain environments related to issues with multiple queries, and issues with retries. This update fixes the problem. Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled memory when sorting RRsets. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code. Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled extracting certain names. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code. Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented address/port checks. A remote attacker could use this issue to perform a cache poisoning attack. Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented query resource name checks. A remote attacker could use this issue to perform a cache poisoning attack. Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled multiple query requests for the same resource name. A remote attacker could use this issue to perform a cache poisoning attack. It was discovered that Dnsmasq incorrectly handled memory during DHCP response creation. A remote attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-09-16 CVE Reserved
- 2021-01-19 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-358: Improperly Implemented Security Check for Standard
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html | Mailing List |
|
| https://www.arista.com/en/support/advisories-notices/security-advisories/12135-security-advisory-61 | Third Party Advisory | |
| https://www.jsof-tech.com/disclosures/dnspooq | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1889686 | 2021-02-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Thekelleys Search vendor "Thekelleys" | Dnsmasq Search vendor "Thekelleys" for product "Dnsmasq" | < 2.83 Search vendor "Thekelleys" for product "Dnsmasq" and version " < 2.83" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Arista Search vendor "Arista" | Eos Search vendor "Arista" for product "Eos" | >= 4.21 < 4.21.14m Search vendor "Arista" for product "Eos" and version " >= 4.21 < 4.21.14m" | - |
Affected
| ||||||
| Arista Search vendor "Arista" | Eos Search vendor "Arista" for product "Eos" | >= 4.22 < 4.22.9m Search vendor "Arista" for product "Eos" and version " >= 4.22 < 4.22.9m" | - |
Affected
| ||||||
| Arista Search vendor "Arista" | Eos Search vendor "Arista" for product "Eos" | >= 4.23 < 4.23.7m Search vendor "Arista" for product "Eos" and version " >= 4.23 < 4.23.7m" | - |
Affected
| ||||||
| Arista Search vendor "Arista" | Eos Search vendor "Arista" for product "Eos" | >= 4.24 < 4.24.5m Search vendor "Arista" for product "Eos" and version " >= 4.24 < 4.24.5m" | - |
Affected
| ||||||
| Arista Search vendor "Arista" | Eos Search vendor "Arista" for product "Eos" | >= 4.25 < 4.25.2f Search vendor "Arista" for product "Eos" and version " >= 4.25 < 4.25.2f" | - |
Affected
| ||||||