CVE-2021-3448 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Content spoofing
Description	A security issue was found in dnsmasq before version 2.85. When configured with --server=<address>@<interface> or similar (e.g. through dbus), dnsmasq configures a fixed UDP port for all outgoing queries to the specified upstream DNS server. If an attacker is able to discover the opened port through other means (e.g. port scanning, guessing or sniffing), they would just have to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw could be abused to perform a DNS Cache Poisoning attack.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1703	dnsmasq	2.84-1	2.85-1	Medium	Fixed

References
https://bugzilla.redhat.com/show_bug.cgi?id=1939368 https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014962.html

References

https://bugzilla.redhat.com/show_bug.cgi?id=1939368
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014962.html

Notes
Workaround ========== The flaw can be prevented by removing the --server=<address>@<interface> option or by removing the directive server=<address>@<interface>. If dnsmasq is being run through NetworkManager, please be aware that NetworkManager automatically configures dnsmasq to use the server=<address>@<interface> directive, thus in this case the only way to prevent the flaw is to remove dns=dnsmasq from the /etc/NetworkManager/NetworkManager.conf file. If the server=<address>@<interface> must be kept active, the impact of this flaw can be reduced by disabling the dnsmasq cache by adding --cache-size=0 when calling dnsmasq or by adding a line with cache-size=0 to the dnsmasq configuration file (/etc/dnsmasq.conf by default). If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add cache-size=0 to it. By disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system’s environment before applying.

Notes

Workaround
==========

The flaw can be prevented by removing the --server=<address>@<interface> option or by removing the directive server=<address>@<interface>. If dnsmasq is being run through NetworkManager, please be aware that NetworkManager automatically configures dnsmasq to use the server=<address>@<interface> directive, thus in this case the only way to prevent the flaw is to remove dns=dnsmasq from the /etc/NetworkManager/NetworkManager.conf file.

If the server=<address>@<interface> must be kept active, the impact of this flaw can be reduced by disabling the dnsmasq cache by adding --cache-size=0 when calling dnsmasq or by adding a line with cache-size=0 to the dnsmasq configuration file (/etc/dnsmasq.conf by default). If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add cache-size=0 to it.

By disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system’s environment before applying.