Subject: [ASA-202101-38] dnsmasq: multiple issues Arch Linux Security Advisory ASA-202101-38 ========================================== Severity: High Date : 2021-01-20 CVE-ID : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687 Package : dnsmasq Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1470 Summary ======= The package dnsmasq before version 2.83-1 is vulnerable to multiple issues including arbitrary code execution, denial of service and insufficient validation. Resolution ========== Upgrade to 2.83-1. # pacman -Syu "dnsmasq>=2.83-1" The problems have been fixed upstream in version 2.83. Workaround ========== None. Description =========== - CVE-2020-25681 (arbitrary code execution) A heap-based buffer overflow was discovered in dnsmasq before version 2.83 in the way it sorts RRSets before validating them with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. - CVE-2020-25682 (arbitrary code execution) A buffer overflow vulnerability was discovered in the way dnsmasq before version 2.83 extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths it is possible extract_name() gets passed an offset from the base buffer, thus reducing in practice the number of available bytes that can be written in the buffer. - CVE-2020-25683 (denial of service) A heap-based buffer overflow was discovered in dnsmasq before version 2.83 when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a Denial of Service. - CVE-2020-25684 (insufficient validation) A flaw was found when getting a reply from a forwarded query, where dnsmasq before version 2.83 checks in forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. - CVE-2020-25685 (insufficient validation) When getting a reply from a forwarded query, dnsmasq before version 2.83 checks in forward.c:reply_query() which one is the forwarded query that matches the reply by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) an off-path attacker can find several different domains all having the same hash, substantially reducing the number of attempts he would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. - CVE-2020-25686 (insufficient validation) A flaw was found when receiving a query, where dnsmasq before version 2.83 does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that would have to be performed to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. - CVE-2020-25687 (denial of service) A heap-based buffer overflow was discovered in dnsmasq before version 2.83 when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Impact ====== A remote attacker can execute arbitrary code, bypass validation and crash the application through crafted DNS responses. References ========== https://www.openwall.com/lists/oss-security/2021/01/19/1 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html https://www.jsof-tech.com/disclosures/dnspooq/ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2d765867c597db18be9d876c9c17e2c0fe1953cd https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=15b60ddf935a531269bb8c68198de012a4967156 https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914 https://security.archlinux.org/CVE-2020-25681 https://security.archlinux.org/CVE-2020-25682 https://security.archlinux.org/CVE-2020-25683 https://security.archlinux.org/CVE-2020-25684 https://security.archlinux.org/CVE-2020-25685 https://security.archlinux.org/CVE-2020-25686 https://security.archlinux.org/CVE-2020-25687