A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{"id": "CVE-2020-25681", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-25681", "description": "A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "published": "2021-01-20T17:15:00", "modified": "2021-03-26T18:22:00", "epss": [{"cve": "CVE-2020-25681", "epss": 0.4619, "percentile": 0.96883, "modified": "2023-06-06"}], "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "baseScore": 8.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 8.5, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25681", "reporter": "secalert@redhat.com", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1881875", "https://www.jsof-tech.com/disclosures/dnspooq/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/", "https://security.gentoo.org/glsa/202101-17", "https://www.debian.org/security/2021/dsa-4844", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/", "https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html"], "cvelist": ["CVE-2020-25681"], "immutableFields": [], "lastseen": "2023-06-06T14:39:16", "viewCount": 1524, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:0150"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2020-25681"]}, {"type": "altlinux", "idList": ["864D4BAD00FC35A95D316BFD81ABFD93"]}, {"type": "archlinux", "idList": ["ASA-202101-38"]}, {"type": "cert", "idList": ["VU:434904"]}, {"type": "cisco", "idList": ["CISCO-SA-DNSMASQ-DNS-2021-C5MRDF3G"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2604-1:9EC79", "DEBIAN:DSA-4844-1:75AB4", "DEBIAN:DSA-4844-1:99BC8"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-25681"]}, {"type": "f5", "idList": ["F5:K02931614"]}, {"type": "fedora", "idList": ["FEDORA:5278930BDD92", "FEDORA:5AB7E30E25EB"]}, {"type": "freebsd", "idList": ["5B5CF6E5-5B51-11EB-95AC-7F9491278677"]}, {"type": "gentoo", "idList": ["GLSA-202101-17"]}, {"type": "ics", "idList": ["ICSA-21-019-01"]}, {"type": "mageia", "idList": ["MGASA-2021-0059"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:663327DFA13BEF28EEE013C568D709A6"]}, {"type": "nessus", "idList": ["CENTOS8_RHSA-2021-0150.NASL", "DEBIAN_DLA-2604.NASL", "DEBIAN_DSA-4844.NASL", "DNSMASQ_2_83.NASL", "EULEROS_SA-2021-1138.NASL", "EULEROS_SA-2021-1244.NASL", "EULEROS_SA-2021-1263.NASL", "EULEROS_SA-2021-1288.NASL", "EULEROS_SA-2021-1374.NASL", "EULEROS_SA-2021-1389.NASL", "EULEROS_SA-2021-1411.NASL", "EULEROS_SA-2021-1469.NASL", "EULEROS_SA-2021-1551.NASL", "EULEROS_SA-2021-1673.NASL", "EULEROS_SA-2021-1733.NASL", "EULEROS_SA-2021-1758.NASL", "FEDORA_2021-2E4C3D5A9D.NASL", "FEDORA_2021-84440E87BA.NASL", "FREEBSD_PKG_5B5CF6E55B5111EB95AC7F9491278677.NASL", "GENTOO_GLSA-202101-17.NASL", "NEWSTART_CGSL_NS-SA-2021-0091_DNSMASQ.NASL", "NEWSTART_CGSL_NS-SA-2021-0125_DNSMASQ.NASL", "OPENSUSE-2021-124.NASL", "OPENSUSE-2021-129.NASL", "ORACLELINUX_ELSA-2021-0150.NASL", "PHOTONOS_PHSA-2021-1_0-0356_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-2_0-0312_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-3_0-0186_DNSMASQ.NASL", "REDHAT-RHSA-2021-0150.NASL", "REDHAT-RHSA-2021-0151.NASL", "REDHAT-RHSA-2021-0152.NASL", "SLACKWARE_SSA_2021-040-01.NASL", "SUSE_SU-2021-0162-1.NASL", "SUSE_SU-2021-0163-1.NASL", "SUSE_SU-2021-0166-1.NASL", "SUSE_SU-2021-14603-1.NASL", "UBUNTU_USN-4698-1.NASL"]}, {"type": "openwrt", "idList": ["OPENWRT-SA-2021-01-19-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-0150"]}, {"type": "osv", "idList": ["OSV:DLA-2604-1", "OSV:DSA-4844-1"]}, {"type": "photon", "idList": ["PHSA-2021-0186", "PHSA-2021-0312", "PHSA-2021-0356", "PHSA-2021-1.0-0356", "PHSA-2021-2.0-0312", "PHSA-2021-3.0-0186"]}, {"type": "redhat", "idList": ["RHSA-2020:5633", "RHSA-2021:0150", "RHSA-2021:0151", "RHSA-2021:0152", "RHSA-2021:0281", "RHSA-2021:0799"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-25681"]}, {"type": "slackware", "idList": ["SSA-2021-040-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0124-1", "OPENSUSE-SU-2021:0129-1"]}, {"type": "threatpost", "idList": ["THREATPOST:8B647363122969148DB6173D5DA44833"]}, {"type": "ubuntu", "idList": ["USN-4698-1", "USN-4698-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-25681"]}, {"type": "veracode", "idList": ["VERACODE:29046"]}]}, "score": {"value": 4.7, "vector": "NONE"}, "twitter": {"counter": 8, "modified": "2021-03-23T12:24:57", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1358903230294601728", "text": " NEW: CVE-2020-25681 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who ... (click for more) Severity: HIGH https://t.co/lONyxGbkuk?amp=1"}, {"link": "https://twitter.com/GrupoICA_Ciber/status/1365224161052942337", "text": "DEBIAN\nM\u00faltiples vulnerabilidades de severidad alta en productos DEBIAN: \n\nCVE-2020-27844,CVE-2020-27814,CVE-2020-25681,CVE-2021-26720,CVE-2021-23840,CVE-2021-23841\n\nM\u00e1s info en: https://t.co/MSlGna3az9?amp=1\n/hashtag/ciberseguridad?src=hashtag_click /hashtag/grupoica?src=hashtag_click /hashtag/debian?src=hashtag_click"}, {"link": "https://twitter.com/RobbiNespu/status/1354823224148672515", "text": "/hashtag/Debian?src=hashtag_click stable still haven't fixes / patch CVE-2020-25681 - CVE-2020-25687 for /hashtag/dnsmasq?src=hashtag_click package\n- https://t.co/iWPmo7vOwG?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1375523044895174658", "text": " NEW: CVE-2020-25681 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who ... (click for more) Severity: HIGH https://t.co/lONyxGbkuk?amp=1"}, {"link": "https://twitter.com/AzagraMac/status/1370905671630225408", "text": "Firmware Update, ASUS RT-AX58U, \nv3.0.0.4.386.42095\n \n- Improved system stability.\n- Fixed GUI bugs.\n- Security Fixed: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686\n\nhttps://t.co/gwPckAWhxS?amp=1"}, {"link": "https://twitter.com/VulmonFeeds/status/1375061651586703366", "text": "CVE-2020-25681\n\nA flaw was found in dnsmasq before version 2.83. A heap-b...\n\nhttps://t.co/I9ruulhYXn?amp=1\n\nDon't wait vulnerability scanning results: https://t.co/oh1APvMMnd?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1375515495508533252", "text": " NEW: CVE-2020-25681 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who ... (click for more) Severity: HIGH https://t.co/lONyxGsVlS?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1365046158482165766", "text": " NEW: CVE-2020-25681 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who ... (click for more) Severity: HIGH https://t.co/lONyxGbkuk?amp=1"}]}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:0150"]}, {"type": "archlinux", "idList": ["ASA-202101-38"]}, {"type": "cert", "idList": ["VU:434904"]}, {"type": "cisco", "idList": ["CISCO-SA-DNSMASQ-DNS-2021-C5MRDF3G"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4844-1:99BC8"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-25681"]}, {"type": "f5", "idList": ["F5:K02931614"]}, {"type": "fedora", "idList": ["FEDORA:5278930BDD92", "FEDORA:5AB7E30E25EB"]}, {"type": "freebsd", "idList": ["5B5CF6E5-5B51-11EB-95AC-7F9491278677"]}, {"type": "gentoo", "idList": ["GLSA-202101-17"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:663327DFA13BEF28EEE013C568D709A6"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/CENTOS_LINUX-CVE-2020-25681/", "MSF:ILITIES/FREEBSD-CVE-2020-25681/", "MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-25681/"]}, {"type": "nessus", "idList": ["CENTOS8_RHSA-2021-0150.NASL", "DEBIAN_DSA-4844.NASL", "DNSMASQ_2_83.NASL", "EULEROS_SA-2021-1138.NASL", "EULEROS_SA-2021-1244.NASL", "EULEROS_SA-2021-1263.NASL", "EULEROS_SA-2021-1288.NASL", "EULEROS_SA-2021-1374.NASL", "EULEROS_SA-2021-1733.NASL", "EULEROS_SA-2021-1758.NASL", "FEDORA_2021-2E4C3D5A9D.NASL", "FEDORA_2021-84440E87BA.NASL", "FREEBSD_PKG_5B5CF6E55B5111EB95AC7F9491278677.NASL", "GENTOO_GLSA-202101-17.NASL", "OPENSUSE-2021-124.NASL", "OPENSUSE-2021-129.NASL", "ORACLELINUX_ELSA-2021-0150.NASL", "PHOTONOS_PHSA-2021-1_0-0356_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-2_0-0312_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-3_0-0186_DNSMASQ.NASL", "REDHAT-RHSA-2021-0150.NASL", "REDHAT-RHSA-2021-0151.NASL", "REDHAT-RHSA-2021-0152.NASL", "SLACKWARE_SSA_2021-040-01.NASL", "SUSE_SU-2021-0162-1.NASL", "SUSE_SU-2021-0163-1.NASL", "SUSE_SU-2021-0166-1.NASL", "SUSE_SU-2021-14603-1.NASL", "UBUNTU_USN-4698-1.NASL"]}, {"type": "openwrt", "idList": ["OPENWRT-SA-2021-01-19-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-0150"]}, {"type": "photon", "idList": ["PHSA-2021-1.0-0356", "PHSA-2021-2.0-0312", "PHSA-2021-3.0-0186"]}, {"type": "redhat", "idList": ["RHSA-2021:0150", "RHSA-2021:0151"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-25681"]}, {"type": "slackware", "idList": ["SSA-2021-040-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0124-1", "OPENSUSE-SU-2021:0129-1"]}, {"type": "threatpost", "idList": ["THREATPOST:8B647363122969148DB6173D5DA44833"]}, {"type": "ubuntu", "idList": ["USN-4698-1", "USN-4698-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-25681"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "thekelleys dnsmasq", "version": 2}, {"name": "fedoraproject fedora", "version": 32}, {"name": "fedoraproject fedora", "version": 33}, {"name": "debian debian linux", "version": 9}, {"name": "debian debian linux", "version": 10}]}, "epss": [{"cve": "CVE-2020-25681", "epss": 0.4619, "percentile": 0.96865, "modified": "2023-05-07"}], "vulnersScore": 4.7}, "_state": {"dependencies": 1686073041, "score": 1686062979, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "e05658fb9f3a8697a4507857ca6d18c9"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32"], "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"], "cwe": ["CWE-122"], "affectedSoftware": [{"cpeName": "thekelleys:dnsmasq", "version": "2.83", "operator": "lt", "name": "thekelleys dnsmasq"}, {"cpeName": "fedoraproject:fedora", "version": "32", "operator": "eq", "name": "fedoraproject fedora"}, {"cpeName": "fedoraproject:fedora", "version": "33", "operator": "eq", "name": "fedoraproject fedora"}, {"cpeName": "debian:debian_linux", "version": "9.0", "operator": "eq", "name": "debian debian linux"}, {"cpeName": "debian:debian_linux", "version": "10.0", "operator": "eq", "name": "debian debian linux"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:thekelleys:dnsmasq:2.83:*:*:*:*:*:*:*", "versionEndExcluding": "2.83", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881875", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1881875", "refsource": "MISC", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"]}, {"url": "https://www.jsof-tech.com/disclosures/dnspooq/", "name": "https://www.jsof-tech.com/disclosures/dnspooq/", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/", "name": "FEDORA-2021-84440e87ba", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://security.gentoo.org/glsa/202101-17", "name": "GLSA-202101-17", "refsource": "GENTOO", "tags": ["Third Party Advisory"]}, {"url": "https://www.debian.org/security/2021/dsa-4844", "name": "DSA-4844", "refsource": "DEBIAN", "tags": ["Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/", "name": "FEDORA-2021-2e4c3d5a9d", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html", "name": "[debian-lts-announce] 20210322 [SECURITY] [DLA 2604-1] dnsmasq security update", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}], "product_info": [{"vendor": "Thekelleys", "product": "Dnsmasq"}, {"vendor": "Fedoraproject", "product": "Fedora"}, {"vendor": "Debian", "product": "Debian_linux"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122", "lang": "en", "type": "CWE"}]}], "exploits": [], "assigned": "1976-01-01T00:00:00"}
{"alpinelinux": [{"lastseen": "2023-06-23T11:06:24", "description": "A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-20T17:15:00", "type": "alpinelinux", "title": "CVE-2020-25681", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681"], "modified": "2021-03-26T18:22:00", "id": "ALPINE:CVE-2020-25681", "href": "https://security.alpinelinux.org/vuln/CVE-2020-25681", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "veracode": [{"lastseen": "2022-07-26T13:30:32", "description": "dnsmasq is vulnerable to buffer overflow. An attacker may forge malicious DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. \n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-20T16:41:21", "type": "veracode", "title": "Buffer Overflow", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681"], "modified": "2021-03-26T21:00:07", "id": "VERACODE:29046", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29046/summary", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "osv": [{"lastseen": "2023-06-27T02:16:51", "description": "A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {}, "published": "2021-01-20T17:15:00", "type": "osv", "title": "CVE-2020-25681", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-25681"], "modified": "2023-06-27T02:16:35", "id": "OSV:CVE-2020-25681", "href": "https://osv.dev/vulnerability/CVE-2020-25681", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-10T07:15:50", "description": "\nMoshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\n\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.80-1+deb10u1.\n\n\nWe recommend that you upgrade your dnsmasq packages.\n\n\nFor the detailed security status of dnsmasq please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/dnsmasq](https://security-tracker.debian.org/tracker/dnsmasq)\n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-02T00:00:00", "type": "osv", "title": "dnsmasq - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25687", "CVE-2020-25685", "CVE-2020-25681", "CVE-2020-25683", "CVE-2020-25682", "CVE-2020-25686"], "modified": "2022-08-10T07:15:45", "id": "OSV:DSA-4844-1", "href": "https://osv.dev/vulnerability/DSA-4844-1", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "debiancve": [{"lastseen": "2023-06-06T14:54:20", "description": "A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-20T17:15:00", "type": "debiancve", "title": "CVE-2020-25681", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681"], "modified": "2021-01-20T17:15:00", "id": "DEBIANCVE:CVE-2020-25681", "href": "https://security-tracker.debian.org/tracker/CVE-2020-25681", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "ubuntucve": [{"lastseen": "2023-06-29T14:01:49", "description": "A flaw was found in dnsmasq before version 2.83. A heap-based buffer\noverflow was discovered in the way RRSets are sorted before validating with\nDNSSEC data. An attacker on the network, who can forge DNS replies such as\nthat they are accepted as valid, could use this flaw to cause a buffer\noverflow with arbitrary data in a heap memory segment, possibly executing\ncode on the machine. The highest threat from this vulnerability is to data\nconfidentiality and integrity as well as system availability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-25681", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681"], "modified": "2021-01-19T00:00:00", "id": "UB:CVE-2020-25681", "href": "https://ubuntu.com/security/CVE-2020-25681", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "f5": [{"lastseen": "2023-06-06T21:37:36", "description": " * [CVE-2020-25681](<https://vulners.com/cve/CVE-2020-25681>)\n\nA flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n\n * [CVE-2020-25682](<https://vulners.com/cve/CVE-2020-25682>)\n\nA flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n\n * [CVE-2020-25683](<https://vulners.com/cve/CVE-2020-25683>)\n\nA flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.\n\n * [CVE-2020-25687](<https://vulners.com/cve/CVE-2020-25687>)\n\nA flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-30T03:26:00", "type": "f5", "title": "Multiple dnsmasq vulnerabilities ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25687"], "modified": "2022-07-27T20:28:00", "id": "F5:K02931614", "href": "https://support.f5.com/csp/article/K02931614", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "debian": [{"lastseen": "2021-12-11T03:41:29", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2604-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ \nMarch 22, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : dnsmasq\nVersion : 2.76-5+deb9u3\nCVE ID : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 \n CVE-2020-25687\n\nMoshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.76-5+deb9u3.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nFor the detailed security status of dnsmasq please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/dnsmasq\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-22T18:43:44", "type": "debian", "title": "[SECURITY] [DLA 2604-1] dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25687"], "modified": "2021-03-22T18:43:44", "id": "DEBIAN:DLA-2604-1:9EC79", "href": "https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-10-21T18:01:09", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4844-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nFebruary 02, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dnsmasq\nCVE ID : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 \n CVE-2020-25685 CVE-2020-25686 CVE-2020-25687\n\nMoshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.80-1+deb10u1.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nFor the detailed security status of dnsmasq please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/dnsmasq\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-04T07:37:12", "type": "debian", "title": "[SECURITY] [DSA 4844-1] dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-02-04T07:37:12", "id": "DEBIAN:DSA-4844-1:75AB4", "href": "https://lists.debian.org/debian-security-announce/2021/msg00026.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-06-07T14:39:15", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4844-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nFebruary 02, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dnsmasq\nCVE ID : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 \n CVE-2020-25685 CVE-2020-25686 CVE-2020-25687\n\nMoshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.80-1+deb10u1.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nFor the detailed security status of dnsmasq please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/dnsmasq\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-04T07:37:12", "type": "debian", "title": "[SECURITY] [DSA 4844-1] dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-02-04T07:37:12", "id": "DEBIAN:DSA-4844-1:99BC8", "href": "https://lists.debian.org/debian-security-announce/2021/msg00026.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:25:42", "description": "Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code.\n\nFor Debian 9 stretch, these problems have been fixed in version 2.76-5+deb9u3.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nFor the detailed security status of dnsmasq please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/dnsmasq\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "nessus", "title": "Debian DLA-2604-1 : dnsmasq security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:dnsmasq", "p-cpe:/a:debian:debian_linux:dnsmasq-base", "p-cpe:/a:debian:debian_linux:dnsmasq-utils", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2604.NASL", "href": "https://www.tenable.com/plugins/nessus/147960", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2604-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(147960);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-25681\", \"CVE-2020-25682\", \"CVE-2020-25683\", \"CVE-2020-25684\", \"CVE-2020-25687\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Debian DLA-2604-1 : dnsmasq security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Moshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.76-5+deb9u3.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nFor the detailed security status of dnsmasq please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/dnsmasq\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/dnsmasq\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/dnsmasq\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"dnsmasq\", reference:\"2.76-5+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"dnsmasq-base\", reference:\"2.76-5+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"dnsmasq-utils\", reference:\"2.76-5+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:10:30", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 8 : dnsmasq (RHSA-2021:0150)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/145088", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0150. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145088);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0150\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 8 : dnsmasq (RHSA-2021:0150)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0150\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1891568\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:12:08", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0152 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 8 : dnsmasq (RHSA-2021:0152)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:8.1", "cpe:/o:redhat:rhel_eus:8.1", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0152.NASL", "href": "https://www.tenable.com/plugins/nessus/145082", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0152. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145082);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0152\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 8 : dnsmasq (RHSA-2021:0152)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0152 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0152\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1891568\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel8/8.1/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.1/x86_64/appstream/os',\n 'content/e4s/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.1/x86_64/baseos/os',\n 'content/e4s/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap/os',\n 'content/e4s/rhel8/8.1/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/appstream/debug',\n 'content/eus/rhel8/8.1/aarch64/appstream/os',\n 'content/eus/rhel8/8.1/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/baseos/debug',\n 'content/eus/rhel8/8.1/aarch64/baseos/os',\n 'content/eus/rhel8/8.1/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.1/aarch64/highavailability/os',\n 'content/eus/rhel8/8.1/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.1/aarch64/supplementary/os',\n 'content/eus/rhel8/8.1/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.1/ppc64le/appstream/os',\n 'content/eus/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.1/ppc64le/baseos/os',\n 'content/eus/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/sap/debug',\n 'content/eus/rhel8/8.1/ppc64le/sap/os',\n 'content/eus/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/appstream/debug',\n 'content/eus/rhel8/8.1/s390x/appstream/os',\n 'content/eus/rhel8/8.1/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/baseos/debug',\n 'content/eus/rhel8/8.1/s390x/baseos/os',\n 'content/eus/rhel8/8.1/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/highavailability/debug',\n 'content/eus/rhel8/8.1/s390x/highavailability/os',\n 'content/eus/rhel8/8.1/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/sap/debug',\n 'content/eus/rhel8/8.1/s390x/sap/os',\n 'content/eus/rhel8/8.1/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/supplementary/debug',\n 'content/eus/rhel8/8.1/s390x/supplementary/os',\n 'content/eus/rhel8/8.1/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/appstream/debug',\n 'content/eus/rhel8/8.1/x86_64/appstream/os',\n 'content/eus/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/baseos/debug',\n 'content/eus/rhel8/8.1/x86_64/baseos/os',\n 'content/eus/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.1/x86_64/highavailability/os',\n 'content/eus/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/sap/debug',\n 'content/eus/rhel8/8.1/x86_64/sap/os',\n 'content/eus/rhel8/8.1/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.1/x86_64/supplementary/os',\n 'content/eus/rhel8/8.1/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-6.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-6.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:28", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : dnsmasq (EulerOS-SA-2021-1389)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.2.0", "p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils"], "id": "EULEROS_SA-2021-1389.NASL", "href": "https://www.tenable.com/plugins/nessus/147582", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147582);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : dnsmasq (EulerOS-SA-2021-1389)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1389\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0bd5d8af\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7\",\n \"dnsmasq-utils-2.76-5.h7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:43", "description": "This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-01-20T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : dnsmasq (SUSE-SU-2021:0166-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:dnsmasq", "p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo", "p-cpe:/a:novell:suse_linux:dnsmasq-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-0166-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145175", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0166-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145175);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLES12 Security Update : dnsmasq (SUSE-SU-2021:0166-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\nPoisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\nmultiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode\n(bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210166-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6f7572f6\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-166=1\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-166=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2021-166=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2021-166=1\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2021-166=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-166=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2021-166=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-166=1\n\nSUSE Enterprise Storage 5 :\n\nzypper in -t patch SUSE-Storage-5-2021-166=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2021-166=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:48", "description": "According to the versions of the dnsmasq package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1263)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:huawei:euleros:2.0", "p-cpe:/a:huawei:euleros:dnsmasq"], "id": "EULEROS_SA-2021-1263.NASL", "href": "https://www.tenable.com/plugins/nessus/146224", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146224);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1263)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1263\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b30dbebc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h5.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:09", "description": "An update of the dnsmasq package has been released.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Dnsmasq PHSA-2021-1.0-0356", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:dnsmasq", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2021-1_0-0356_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/145420", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-1.0-0356. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145420);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Photon OS 1.0: Dnsmasq PHSA-2021-1.0-0356\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the dnsmasq package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-356.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 1.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-1.0', cpu:'x86_64', reference:'dnsmasq-2.82-1.ph1')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:48", "description": "According to the versions of the dnsmasq package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1244)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:huawei:euleros:2.0", "p-cpe:/a:huawei:euleros:dnsmasq"], "id": "EULEROS_SA-2021-1244.NASL", "href": "https://www.tenable.com/plugins/nessus/146218", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146218);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1244)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1244\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1cc63d9c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h5.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:09", "description": "The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-2e4c3d5a9d advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "Fedora 32 : dnsmasq (2021-2e4c3d5a9d)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:dnsmasq"], "id": "FEDORA_2021-2E4C3D5A9D.NASL", "href": "https://www.tenable.com/plugins/nessus/148783", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-2e4c3d5a9d\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148783);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"FEDORA\", value:\"2021-2e4c3d5a9d\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Fedora 32 : dnsmasq (2021-2e4c3d5a9d)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-2e4c3d5a9d advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-2e4c3d5a9d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 32', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.84-1.fc32', 'release':'FC32', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:35", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple vulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0125)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_main:dnsmasq", "p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo", "p-cpe:/a:zte:cgsl_main:dnsmasq-debugsource", "p-cpe:/a:zte:cgsl_main:dnsmasq-utils", "p-cpe:/a:zte:cgsl_main:dnsmasq-utils-debuginfo", "cpe:/o:zte:cgsl_main:6"], "id": "NEWSTART_CGSL_NS-SA-2021-0125_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/154463", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0125. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154463);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0125)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple\nvulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0125\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL dnsmasq packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:6\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL MAIN 6.02': [\n 'dnsmasq-2.79-13.el8_3.1',\n 'dnsmasq-debuginfo-2.79-13.el8_3.1',\n 'dnsmasq-debugsource-2.79-13.el8_3.1',\n 'dnsmasq-utils-2.79-13.el8_3.1',\n 'dnsmasq-utils-debuginfo-2.79-13.el8_3.1'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:04", "description": "The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-84440e87ba advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-21T00:00:00", "type": "nessus", "title": "Fedora 33 : dnsmasq (2021-84440e87ba)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "p-cpe:/a:fedoraproject:fedora:dnsmasq"], "id": "FEDORA_2021-84440E87BA.NASL", "href": "https://www.tenable.com/plugins/nessus/145241", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-84440e87ba\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145241);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"FEDORA\", value:\"2021-84440e87ba\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Fedora 33 : dnsmasq (2021-84440e87ba)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-84440e87ba advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-84440e87ba\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 33', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.83-1.fc33', 'release':'FC33', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:14", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network,who can create valid DNS replies,could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory,possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function,which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However,in some code execution paths,it is possible extract_name() gets passed an offset from the base buffer,thus reducing,in practice,the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : dnsmasq (EulerOS-SA-2021-1138)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1138.NASL", "href": "https://www.tenable.com/plugins/nessus/145737", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145737);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP8 : dnsmasq (EulerOS-SA-2021-1138)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network,who can create valid DNS replies,could use this\n flaw to cause an overflow with arbitrary data in a\n heap-allocated memory,possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function,which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However,in some code execution paths,it is\n possible extract_name() gets passed an offset from the\n base buffer,thus reducing,in practice,the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1138\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?54ff6184\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.79-7.h5.eulerosv2r8\",\n \"dnsmasq-utils-2.79-7.h5.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:27", "description": "This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : dnsmasq (openSUSE-2021-129)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dnsmasq", "p-cpe:/a:novell:opensuse:dnsmasq-debuginfo", "p-cpe:/a:novell:opensuse:dnsmasq-debugsource", "p-cpe:/a:novell:opensuse:dnsmasq-utils", "p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2021-129.NASL", "href": "https://www.tenable.com/plugins/nessus/145295", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-129.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145295);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"openSUSE Security Update : dnsmasq (openSUSE-2021-129)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed\n multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,\n CVE-2020-25687: Fixed multiple potential Heap-based\n overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL\n rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-debuginfo-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-debugsource-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-utils-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-utils-debuginfo-2.78-lp151.5.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-debuginfo / dnsmasq-debugsource / dnsmasq-utils / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:02", "description": "The version of dnsmasq installed on the remote host is prior to 2.83. It is, therefore, affected by multiple vulnerabilities:\n\n - Multiple remote buffer overflows in the DNSSEC implementation. (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687)\n\n - A UDP DNS cache poisoning vulnerability. (CVE-2020-25684)\n\n - Usage of a known weak hashing function. (CVE-2020-25685)\n\n - An issue handling multiple simultaneous DNS queries. (CVE-2020-25686)\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "dnsmasq < 2.83 Multiple Vulnerabilities (DNSPOOQ)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/a:thekelleys:dnsmasq"], "id": "DNSMASQ_2_83.NASL", "href": "https://www.tenable.com/plugins/nessus/145073", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145073);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"dnsmasq < 2.83 Multiple Vulnerabilities (DNSPOOQ)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote DNS / DHCP service is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of dnsmasq installed on the remote host is prior to 2.83. It is, therefore, affected by multiple\nvulnerabilities:\n\n - Multiple remote buffer overflows in the DNSSEC implementation. (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,\n CVE-2020-25687)\n\n - A UDP DNS cache poisoning vulnerability. (CVE-2020-25684)\n\n - Usage of a known weak hashing function. (CVE-2020-25685)\n\n - An issue handling multiple simultaneous DNS queries. (CVE-2020-25686)\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\n number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.jsof-tech.com/disclosures/dnspooq/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to dnsmasq 2.83 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:thekelleys:dnsmasq\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"dns_version.nasl\");\n script_require_keys(\"dns_server/version\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/dns\", 53);\n\n exit(0);\n}\n\ninclude('audit.inc');\n\napp_name = 'dnsmasq';\nport = get_kb_item('Services/udp/dns');\n\nif (!port)\n port = 53;\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\n# dnsmasq replies to BIND.VERSION\nversion = tolower(get_kb_item_or_exit('dns_server/version'));\ndisplay_version = version;\n\nif (version !~ \"dnsmasq-(v)?\")\n audit(AUDIT_NOT_LISTEN, app_name, port);\n\nversion = preg_replace(pattern:\"^dnsmasq-(v)?(.*)$\", replace:\"\\2\", string:version);\n\nif (version == '2')\n audit(AUDIT_VER_NOT_GRANULAR, app_name, port, display_version);\n\nfix = '2.83';\nif (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version, 'udp');\n\nreport = '\\n' +\n '\\n Installed version : ' + display_version +\n '\\n Fixed version : dnsmasq-' + fix +\n '\\n';\n\nsecurity_report_v4(port:port, proto:'udp', severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:11:37", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0151 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 8 : dnsmasq (RHSA-2021:0151)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:8.2", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/o:redhat:rhel_tus:8.2", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0151.NASL", "href": "https://www.tenable.com/plugins/nessus/145077", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0151. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145077);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0151\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 8 : dnsmasq (RHSA-2021:0151)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0151 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0151\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1891568\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.2')) audit(AUDIT_OS_NOT, 'Red Hat 8.2', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/8.2/s390x/sap/os',\n 'content/eus/rhel8/8.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/supplementary/debug',\n 'content/eus/rhel8/8.2/s390x/supplementary/os',\n 'content/eus/rhel8/8.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/appstream/debug',\n 'content/eus/rhel8/8.2/x86_64/appstream/os',\n 'content/eus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/baseos/debug',\n 'content/eus/rhel8/8.2/x86_64/baseos/os',\n 'content/eus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.2/x86_64/highavailability/os',\n 'content/eus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap/debug',\n 'content/eus/rhel8/8.2/x86_64/sap/os',\n 'content/eus/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.2/x86_64/supplementary/os',\n 'content/eus/rhel8/8.2/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/appstream/debug',\n 'content/tus/rhel8/8.2/x86_64/appstream/os',\n 'content/tus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/baseos/debug',\n 'content/tus/rhel8/8.2/x86_64/baseos/os',\n 'content/tus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.2/x86_64/highavailability/os',\n 'content/tus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/nfv/debug',\n 'content/tus/rhel8/8.2/x86_64/nfv/os',\n 'content/tus/rhel8/8.2/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/rt/debug',\n 'content/tus/rhel8/8.2/x86_64/rt/os',\n 'content/tus/rhel8/8.2/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-11.el8_2.2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-11.el8_2.2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:01", "description": "According to the versions of the dnsmasq package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-15T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.1 : dnsmasq (EulerOS-SA-2021-1733)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "cpe:/o:huawei:euleros:uvp:2.9.1"], "id": "EULEROS_SA-2021-1733.NASL", "href": "https://www.tenable.com/plugins/nessus/148613", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148613);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 2.9.1 : dnsmasq (EulerOS-SA-2021-1733)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1733\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6a9a7d34\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h6.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:05:44", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-24T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : dnsmasq (EulerOS-SA-2021-1673)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1673.NASL", "href": "https://www.tenable.com/plugins/nessus/148050", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148050);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP5 : dnsmasq (EulerOS-SA-2021-1673)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1673\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bded9d9e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7.eulerosv2r7\",\n \"dnsmasq-utils-2.76-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:27", "description": "Simon Kelley reports :\n\nThere are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc.[...]\n\nthe second set of errors is a good old fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an installation is at risk.", "cvss3": {}, "published": "2021-01-21T00:00:00", "type": "nessus", "title": "FreeBSD : dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities (5b5cf6e5-5b51-11eb-95ac-7f9491278677)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:dnsmasq", "p-cpe:/a:freebsd:freebsd:dnsmasq-devel", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_5B5CF6E55B5111EB95AC7F9491278677.NASL", "href": "https://www.tenable.com/plugins/nessus/145236", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145236);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"FreeBSD : dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities (5b5cf6e5-5b51-11eb-95ac-7f9491278677)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Simon Kelley reports :\n\nThere are broadly two sets of problems. The first is subtle errors in\ndnsmasq's protections against the chronic weakness of the DNS protocol\nto cache-poisoning attacks; the Birthday attack, Kaminsky, etc.[...]\n\nthe second set of errors is a good old fashioned buffer overflow in\ndnsmasq's DNSSEC code. If DNSSEC validation is enabled, an\ninstallation is at risk.\");\n # https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b6f14801\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.jsof-tech.com/disclosures/dnspooq/\");\n # https://vuxml.freebsd.org/freebsd/5b5cf6e5-5b51-11eb-95ac-7f9491278677.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?27a57b8d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:dnsmasq-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"dnsmasq<2.83\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"dnsmasq-devel<2.83\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:54", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple vulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0091)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2021-0091_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/147341", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0091. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147341);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0091)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple\nvulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0091\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL dnsmasq packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL MAIN 6.02': [\n 'dnsmasq-2.79-13.el8_3.1',\n 'dnsmasq-debuginfo-2.79-13.el8_3.1',\n 'dnsmasq-debugsource-2.79-13.el8_3.1',\n 'dnsmasq-utils-2.79-13.el8_3.1',\n 'dnsmasq-utils-debuginfo-2.79-13.el8_3.1'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:28", "description": "This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : dnsmasq (openSUSE-2021-124)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dnsmasq", "p-cpe:/a:novell:opensuse:dnsmasq-debuginfo", "p-cpe:/a:novell:opensuse:dnsmasq-debugsource", "p-cpe:/a:novell:opensuse:dnsmasq-utils", "p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-124.NASL", "href": "https://www.tenable.com/plugins/nessus/145356", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-124.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145356);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"openSUSE Security Update : dnsmasq (openSUSE-2021-124)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed\n multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,\n CVE-2020-25687: Fixed multiple potential Heap-based\n overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL\n rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-debuginfo-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-debugsource-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-utils-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-utils-debuginfo-2.78-lp152.7.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-debuginfo / dnsmasq-debugsource / dnsmasq-utils / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:22:41", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-29T00:00:00", "type": "nessus", "title": "CentOS 8 : dnsmasq (CESA-2021:0150)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:dnsmasq", "p-cpe:/a:centos:centos:dnsmasq-utils"], "id": "CENTOS8_RHSA-2021-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/145698", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:0150. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145698);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0150\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"CentOS 8 : dnsmasq (CESA-2021:0150)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0150\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:13", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.6 : dnsmasq (EulerOS-SA-2021-1469)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:uvp:3.0.6.6"], "id": "EULEROS_SA-2021-1469.NASL", "href": "https://www.tenable.com/plugins/nessus/147517", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147517);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 3.0.6.6 : dnsmasq (EulerOS-SA-2021-1469)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1469\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e587e6b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7.eulerosv2r7\",\n \"dnsmasq-utils-2.76-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:33", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.2.6 : dnsmasq (EulerOS-SA-2021-1411)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:uvp:3.0.2.6"], "id": "EULEROS_SA-2021-1411.NASL", "href": "https://www.tenable.com/plugins/nessus/147462", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147462);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 3.0.2.6 : dnsmasq (EulerOS-SA-2021-1411)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1411\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2728ad96\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7.eulerosv2r7\",\n \"dnsmasq-utils-2.76-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:13", "description": "New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.", "cvss3": {}, "published": "2021-02-10T00:00:00", "type": "nessus", "title": "Slackware 14.0 / 14.1 / 14.2 / current : dnsmasq (SSA:2021-040-01)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:dnsmasq", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.2"], "id": "SLACKWARE_SSA_2021-040-01.NASL", "href": "https://www.tenable.com/plugins/nessus/146369", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2021-040-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146369);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"SSA\", value:\"2021-040-01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : dnsmasq (SSA:2021-040-01)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Slackware host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2,\nand -current to fix security issues.\");\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.585069\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb3c1958\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Slackware Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:22:50", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-0150 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : dnsmasq (ELSA-2021-0150)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:dnsmasq", "p-cpe:/a:oracle:linux:dnsmasq-utils"], "id": "ORACLELINUX_ELSA-2021-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/145086", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-0150.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145086);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Oracle Linux 8 : dnsmasq (ELSA-2021-0150)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-0150 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-0150.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8'},\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8'},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8'},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:07", "description": "The remote host is affected by the vulnerability described in GLSA-202101-17 (Dnsmasq: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Dnsmasq. Please review the references below for details.\n Impact :\n\n An attacker, by sending specially crafted DNS replies, could possibly execute arbitrary code with the privileges of the process, perform a cache poisoning attack or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "GLSA-202101-17 : Dnsmasq: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:dnsmasq", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202101-17.NASL", "href": "https://www.tenable.com/plugins/nessus/145282", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202101-17.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145282);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-25681\", \"CVE-2020-25682\", \"CVE-2020-25683\", \"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\", \"CVE-2020-25687\");\n script_xref(name:\"GLSA\", value:\"202101-17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"GLSA-202101-17 : Dnsmasq: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202101-17\n(Dnsmasq: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Dnsmasq. Please review\n the references below for details.\n \nImpact :\n\n An attacker, by sending specially crafted DNS replies, could possibly\n execute arbitrary code with the privileges of the process, perform a\n cache poisoning attack or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202101-17\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Dnsmasq users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-dns/dnsmasq-2.83'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-dns/dnsmasq\", unaffected:make_list(\"ge 2.83\"), vulnerable:make_list(\"lt 2.83\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:08", "description": "An update of the dnsmasq package has been released.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Dnsmasq PHSA-2021-2.0-0312", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:dnsmasq", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2021-2_0-0312_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/145421", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0312. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145421);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Photon OS 2.0: Dnsmasq PHSA-2021-2.0-0312\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the dnsmasq package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-312.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'dnsmasq-2.82-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'dnsmasq-utils-2.82-1.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:48", "description": "Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "Debian DSA-4844-1 : dnsmasq - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:dnsmasq", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4844.NASL", "href": "https://www.tenable.com/plugins/nessus/146242", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4844. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146242);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-25681\", \"CVE-2020-25682\", \"CVE-2020-25683\", \"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\", \"CVE-2020-25687\");\n script_xref(name:\"DSA\", value:\"4844\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Debian DSA-4844-1 : dnsmasq - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Moshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/dnsmasq\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/dnsmasq\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4844\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the dnsmasq packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2.80-1+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq\", reference:\"2.80-1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq-base\", reference:\"2.80-1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq-base-lua\", reference:\"2.80-1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq-utils\", reference:\"2.80-1+deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:06", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-22T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : dnsmasq (EulerOS-SA-2021-1288)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1288.NASL", "href": "https://www.tenable.com/plugins/nessus/146697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146697);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP2 : dnsmasq (EulerOS-SA-2021-1288)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1288\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d535ebc4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-2.2.h3\",\n \"dnsmasq-utils-2.76-2.2.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:05", "description": "This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-01-20T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : dnsmasq (SUSE-SU-2021:0162-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:dnsmasq", "p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo", "p-cpe:/a:novell:suse_linux:dnsmasq-debugsource", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-0162-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145199", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0162-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145199);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLES15 Security Update : dnsmasq (SUSE-SU-2021:0162-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\nPoisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\nmultiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode\n(bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210162-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?882d5276\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-162=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2021-162=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-162=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-162=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"dnsmasq-2.78-3.11.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"dnsmasq-debuginfo-2.78-3.11.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"dnsmasq-debugsource-2.78-3.11.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:22:51", "description": "This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-01-20T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : dnsmasq (SUSE-SU-2021:0163-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:dnsmasq", "p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo", "p-cpe:/a:novell:suse_linux:dnsmasq-debugsource", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-0163-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145108", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0163-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145108);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : dnsmasq (SUSE-SU-2021:0163-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\nPoisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\nmultiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode\n(bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210163-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0170268\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-163=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2021-163=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1/2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:47", "description": "An update of the dnsmasq package has been released.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Dnsmasq PHSA-2021-3.0-0186", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:dnsmasq", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2021-3_0-0186_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/145414", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-3.0-0186. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145414);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Photon OS 3.0: Dnsmasq PHSA-2021-3.0-0186\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the dnsmasq package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-186.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'dnsmasq-2.82-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'dnsmasq-utils-2.82-1.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:04:32", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-22T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : dnsmasq (EulerOS-SA-2021-1374)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:huawei:euleros:2.0", "p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils"], "id": "EULEROS_SA-2021-1374.NASL", "href": "https://www.tenable.com/plugins/nessus/146735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146735);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP3 : dnsmasq (EulerOS-SA-2021-1374)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1374\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f777cedc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-2.2.h3\",\n \"dnsmasq-utils-2.76-2.2.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:00", "description": "According to the versions of the dnsmasq package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-15T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : dnsmasq (EulerOS-SA-2021-1758)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2021-1758.NASL", "href": "https://www.tenable.com/plugins/nessus/148581", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148581);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : dnsmasq (EulerOS-SA-2021-1758)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1758\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?465f8959\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h6.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:28", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in the default configuration of dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled.\n Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.(CVE-2020-14312)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-04T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.6.0 : dnsmasq (EulerOS-SA-2021-1551)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14312", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:uvp:3.0.6.0"], "id": "EULEROS_SA-2021-1551.NASL", "href": "https://www.tenable.com/plugins/nessus/147133", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147133);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-14312\",\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.6.0 : dnsmasq (EulerOS-SA-2021-1551)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A flaw was found in the default configuration of\n dnsmasq, as shipped with Fedora and Red Hat Enterprise\n Linux, where it listens on any interface and accepts\n queries from addresses outside of its local subnet. In\n particular, the option `local-service` is not enabled.\n Running dnsmasq in this manner may inadvertently make\n it an open resolver accessible from any address on the\n internet. This flaw allows an attacker to conduct a\n Distributed Denial of Service (DDoS) against other\n systems.(CVE-2020-14312)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1551\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cc647336\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.79-7.h5.eulerosv2r8\",\n \"dnsmasq-utils-2.79-7.h5.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:02", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4698-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Dnsmasq vulnerabilities (USN-4698-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14834", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base-lua", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq-utils"], "id": "UBUNTU_USN-4698-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145078", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4698-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145078);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2019-14834\",\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"USN\", value:\"4698-1\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Dnsmasq vulnerabilities (USN-4698-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-4698-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to\n cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4698-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base-lua\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'dnsmasq', 'pkgver': '2.75-1ubuntu0.16.04.7'},\n {'osver': '16.04', 'pkgname': 'dnsmasq-base', 'pkgver': '2.75-1ubuntu0.16.04.7'},\n {'osver': '16.04', 'pkgname': 'dnsmasq-utils', 'pkgver': '2.75-1ubuntu0.16.04.7'},\n {'osver': '18.04', 'pkgname': 'dnsmasq', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '18.04', 'pkgname': 'dnsmasq-base', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '18.04', 'pkgname': 'dnsmasq-base-lua', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '18.04', 'pkgname': 'dnsmasq-utils', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq', 'pkgver': '2.80-1.1ubuntu1.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq-base', 'pkgver': '2.80-1.1ubuntu1.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq-base-lua', 'pkgver': '2.80-1.1ubuntu1.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq-utils', 'pkgver': '2.80-1.1ubuntu1.2'},\n {'osver': '20.10', 'pkgname': 'dnsmasq', 'pkgver': '2.82-1ubuntu1.1'},\n {'osver': '20.10', 'pkgname': 'dnsmasq-base', 'pkgver': '2.82-1ubuntu1.1'},\n {'osver': '20.10', 'pkgname': 'dnsmasq-base-lua', 'pkgver': '2.82-1ubuntu1.1'},\n {'osver': '20.10', 'pkgname': 'dnsmasq-utils', 'pkgver': '2.82-1ubuntu1.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-base / dnsmasq-base-lua / dnsmasq-utils');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:29:48", "description": "The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14603-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : dnsmasq (SUSE-SU-2021:14603-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14834", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:dnsmasq", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2021-14603-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150612", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:14603-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150612);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\n \"CVE-2019-14834\",\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:14603-1\");\n script_xref(name:\"IAVA\", value:\"2020-A-0194-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLES11 Security Update : dnsmasq (SUSE-SU-2021:14603-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:14603-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to\n cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1154849\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177077\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-January/008224.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb2f7f83\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-14834\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES11', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\npkgs = [\n {'reference':'dnsmasq-2.78-0.17.15', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'dnsmasq-2.78-0.17.15', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n exists_check = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release && exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n else if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "altlinux": [{"lastseen": "2023-05-07T11:34:18", "description": "Jan. 22, 2021 Mikhail Efremov 2.83-alt1\n \n \n - Use useradd -N instead of -n.\n - Updated to 2.83 (fixes: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,\n CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687).\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 10 package dnsmasq version 2.83-alt1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-22T00:00:00", "id": "864D4BAD00FC35A95D316BFD81ABFD93", "href": "https://packages.altlinux.org/en/p10/srpms/dnsmasq/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "gentoo": [{"lastseen": "2023-06-06T15:24:46", "description": "### Background\n\nDnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP server. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Dnsmasq. Please review the references below for details. \n\n### Impact\n\nAn attacker, by sending specially crafted DNS replies, could possibly execute arbitrary code with the privileges of the process, perform a cache poisoning attack or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Dnsmasq users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-dns/dnsmasq-2.83\"", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "gentoo", "title": "Dnsmasq: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-22T00:00:00", "id": "GLSA-202101-17", "href": "https://security.gentoo.org/glsa/202101-17", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "fedora": [{"lastseen": "2023-06-06T15:26:41", "description": "Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines. ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-21T01:47:44", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: dnsmasq-2.83-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-21T01:47:44", "id": "FEDORA:5278930BDD92", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-06-06T15:26:41", "description": "Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines. ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-20T01:34:26", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: dnsmasq-2.84-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-02-20T01:34:26", "id": "FEDORA:5AB7E30E25EB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "redhat": [{"lastseen": "2023-08-04T12:27:58", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n* dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:36:50", "type": "redhat", "title": "(RHSA-2021:0151) Important: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T13:05:07", "id": "RHSA-2021:0151", "href": "https://access.redhat.com/errata/RHSA-2021:0151", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-08-04T12:27:58", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n* dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:37:10", "type": "redhat", "title": "(RHSA-2021:0150) Important: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T12:56:01", "id": "RHSA-2021:0150", "href": "https://access.redhat.com/errata/RHSA-2021:0150", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-08-04T12:27:58", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n* dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:36:51", "type": "redhat", "title": "(RHSA-2021:0152) Important: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T12:56:03", "id": "RHSA-2021:0152", "href": "https://access.redhat.com/errata/RHSA-2021:0152", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-08-04T12:27:58", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* openshift: builder allows read and write of block devices (CVE-2021-20182)\n\n* kubernetes: Compromised node could escalate to cluster level privileges (CVE-2020-8559)\n\n* kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4 (CVE-2020-8564)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.4.33. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/RHSA-2021:0282\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html\n\nThis update fixes the following bugs among others:\n\n* Previously, there were broken connections to the API server that caused nodes to remain in the NotReady state. Detecting a broken network connection could take up to 15 minutes, during which the platform would remain unavailable. This is now fixed by setting the TCP_USER_TIMEOUT socket option, which controls how long transmitted data can be unacknowledged before the connection is forcefully closed. (BZ#1907939)\n\n* Previously, the quota controllers only worked on resources retrieved from the discovery endpoint, which might contain only a fraction of all resources due to a network error. This is now fixed by having the quota controllers periodically resync when new resources are observed from the discovery endpoint. (BZ#1910096)\n\n* Previously, the kuryr-controller was comparing security groups related to\nnetwork policies incorrectly. This caused security rules related to a\nnetwork policy to be recreated on every minor update of that network\npolicy. This bug has been fixed, allowing network policy updates that\nalready have existing rules to be preserved; network policy additions or\ndeletions are performed, if needed. (BZ#1910221)\n\nYou may download the oc tool and use it to inspect release image metadata as follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.33-x86_64\n\nThe image digest is sha256:a035dddd8a5e5c99484138951ef4aba021799b77eb9046f683a5466c23717738\n\n(For s390x architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.33-s390x\n\nThe image digest is sha256:ecc1e5aaf8496dd60a7703562fd6c65541172a56ae9008fce6db5d55e43371dc\n\n(For ppc64le architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.33-ppc64le\n\nThe image digest is sha256:567bf8031c80b08e3e56a57e1c8e5b0b01a2f922e01b36ee333f6ab5bff95495\n\nAll OpenShift Container Platform 4.4 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available\nat https://docs.openshift.com/container-platform/4.4/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T10:03:50", "type": "redhat", "title": "(RHSA-2021:0281) Important: OpenShift Container Platform 4.4.33 bug fix and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14382", "CVE-2020-2304", "CVE-2020-2305", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-25694", "CVE-2020-25696", "CVE-2020-8559", "CVE-2020-8564", "CVE-2021-20182"], "modified": "2021-02-03T10:05:11", "id": "RHSA-2021:0281", "href": "https://access.redhat.com/errata/RHSA-2021:0281", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-09-10T12:37:28", "description": "OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains the following OpenShift Virtualization 2.6.0 images:\n\nRHEL-8-CNV-2.6\n==============\nkubevirt-cpu-node-labeller-container-v2.6.0-5\nkubevirt-cpu-model-nfd-plugin-container-v2.6.0-5\nnode-maintenance-operator-container-v2.6.0-13\nkubevirt-vmware-container-v2.6.0-5\nvirtio-win-container-v2.6.0-5\nkubevirt-kvm-info-nfd-plugin-container-v2.6.0-5\nbridge-marker-container-v2.6.0-9\nkubevirt-template-validator-container-v2.6.0-9\nkubevirt-v2v-conversion-container-v2.6.0-6\nkubemacpool-container-v2.6.0-13\nkubevirt-ssp-operator-container-v2.6.0-40\nhyperconverged-cluster-webhook-container-v2.6.0-73\nhyperconverged-cluster-operator-container-v2.6.0-73\novs-cni-plugin-container-v2.6.0-10\ncnv-containernetworking-plugins-container-v2.6.0-10\novs-cni-marker-container-v2.6.0-10\ncluster-network-addons-operator-container-v2.6.0-16\nhostpath-provisioner-container-v2.6.0-11\nhostpath-provisioner-operator-container-v2.6.0-14\nvm-import-virtv2v-container-v2.6.0-21\nkubernetes-nmstate-handler-container-v2.6.0-19\nvm-import-controller-container-v2.6.0-21\nvm-import-operator-container-v2.6.0-21\nvirt-api-container-v2.6.0-111\nvirt-controller-container-v2.6.0-111\nvirt-handler-container-v2.6.0-111\nvirt-operator-container-v2.6.0-111\nvirt-launcher-container-v2.6.0-111\ncnv-must-gather-container-v2.6.0-54\nvirt-cdi-importer-container-v2.6.0-24\nvirt-cdi-cloner-container-v2.6.0-24\nvirt-cdi-controller-container-v2.6.0-24\nvirt-cdi-uploadserver-container-v2.6.0-24\nvirt-cdi-apiserver-container-v2.6.0-24\nvirt-cdi-uploadproxy-container-v2.6.0-24\nvirt-cdi-operator-container-v2.6.0-24\nhco-bundle-registry-container-v2.6.0-582\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\n* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)\n\n* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)\n\n* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)\n\n* golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)\n\n* golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)\n\n* containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T08:47:39", "type": "redhat", "title": "(RHSA-2021:0799) Moderate: OpenShift Virtualization 2.6.0 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10103", "CVE-2018-10105", "CVE-2018-14461", "CVE-2018-14462", "CVE-2018-14463", "CVE-2018-14464", "CVE-2018-14465", "CVE-2018-14466", "CVE-2018-14467", "CVE-2018-14468", "CVE-2018-14469", "CVE-2018-14470", "CVE-2018-14879", "CVE-2018-14880", "CVE-2018-14881", "CVE-2018-14882", "CVE-2018-16227", "CVE-2018-16228", "CVE-2018-16229", "CVE-2018-16230", "CVE-2018-16300", "CVE-2018-16451", "CVE-2018-16452", "CVE-2018-20843", "CVE-2019-11068", "CVE-2019-13050", "CVE-2019-13627", "CVE-2019-14559", "CVE-2019-14889", "CVE-2019-15165", "CVE-2019-15166", "CVE-2019-15903", "CVE-2019-16168", "CVE-2019-16935", "CVE-2019-17450", "CVE-2019-18197", "CVE-2019-19221", "CVE-2019-19906", "CVE-2019-19956", "CVE-2019-20218", "CVE-2019-20387", "CVE-2019-20388", "CVE-2019-20454", "CVE-2019-20807", "CVE-2019-20907", "CVE-2019-20916", "CVE-2019-5018", "CVE-2019-8625", "CVE-2019-8710", "CVE-2019-8720", "CVE-2019-8743", "CVE-2019-8764", "CVE-2019-8766", "CVE-2019-8769", "CVE-2019-8771", "CVE-2019-8782", "CVE-2019-8783", "CVE-2019-8808", "CVE-2019-8811", "CVE-2019-8812", "CVE-2019-8813", "CVE-2019-8814", "CVE-2019-8815", "CVE-2019-8816", "CVE-2019-8819", "CVE-2019-8820", "CVE-2019-8823", "CVE-2019-8835", "CVE-2019-8844", "CVE-2019-8846", "CVE-2020-10018", "CVE-2020-10029", "CVE-2020-11793", "CVE-2020-12321", "CVE-2020-12400", "CVE-2020-12403", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-14040", "CVE-2020-14351", "CVE-2020-14382", "CVE-2020-14391", "CVE-2020-14422", "CVE-2020-15503", "CVE-2020-15586", "CVE-2020-15999", "CVE-2020-16845", "CVE-2020-1730", "CVE-2020-1751", "CVE-2020-1752", "CVE-2020-1971", "CVE-2020-24659", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-25705", "CVE-2020-26160", "CVE-2020-27813", "CVE-2020-28362", "CVE-2020-29652", "CVE-2020-29661", "CVE-2020-3862", "CVE-2020-3864", "CVE-2020-3865", "CVE-2020-3867", "CVE-2020-3868", "CVE-2020-3885", "CVE-2020-3894", "CVE-2020-3895", "CVE-2020-3897", "CVE-2020-3899", "CVE-2020-3900", "CVE-2020-3901", "CVE-2020-3902", "CVE-2020-6405", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8492", "CVE-2020-8619", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-9283", "CVE-2020-9327", "CVE-2020-9802", "CVE-2020-9803", "CVE-2020-9805", "CVE-2020-9806", "CVE-2020-9807", "CVE-2020-9843", "CVE-2020-9850", "CVE-2020-9862", "CVE-2020-9893", "CVE-2020-9894", "CVE-2020-9895", "CVE-2020-9915", "CVE-2020-9925", "CVE-2021-20206", "CVE-2021-3121", "CVE-2021-3156"], "modified": "2021-03-10T08:48:38", "id": "RHSA-2021:0799", "href": "https://access.redhat.com/errata/RHSA-2021:0799", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-10T12:37:28", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.7.0. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/RHSA-2020:5634\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nYou may download the oc tool and use it to inspect release image metadata as follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-x86_64\n\nThe image digest is sha256:d74b1cfa81f8c9cc23336aee72d8ae9c9905e62c4874b071317a078c316f8a70\n\n(For s390x architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-s390x\n\nThe image digest is sha256:a68ca03d87496ddfea0ac26b82af77231583a58a7836b95de85efe5e390ad45d\n\n(For ppc64le architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-ppc64le\n\nThe image digest is sha256:bc7b04e038c8ff3a33b827f4ee19aa79b26e14c359a7dcc1ced9f3b58e5f1ac6\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.\n\nSecurity Fix(es):\n\n* crewjam/saml: authentication bypass in saml authentication (CVE-2020-27846)\n\n* golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)\n\n* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)\n\n* kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider (CVE-2020-8563)\n\n* containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)\n\n* heketi: gluster-block volume password details available in logs (CVE-2020-10763)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\n* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)\n\n* golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)\n\n* golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T14:49:26", "type": "redhat", "title": "(RHSA-2020:5633) Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10103", "CVE-2018-10105", "CVE-2018-14461", "CVE-2018-14462", "CVE-2018-14463", "CVE-2018-14464", "CVE-2018-14465", "CVE-2018-14466", "CVE-2018-14467", "CVE-2018-14468", "CVE-2018-14469", "CVE-2018-14470", "CVE-2018-14553", "CVE-2018-14879", "CVE-2018-14880", "CVE-2018-14881", "CVE-2018-14882", "CVE-2018-16227", "CVE-2018-16228", "CVE-2018-16229", "CVE-2018-16230", "CVE-2018-16300", "CVE-2018-16451", "CVE-2018-16452", "CVE-2018-20843", "CVE-2019-11068", "CVE-2019-12614", "CVE-2019-13050", "CVE-2019-13225", "CVE-2019-13627", "CVE-2019-14889", "CVE-2019-15165", "CVE-2019-15166", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-15925", "CVE-2019-16167", "CVE-2019-16168", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-17450", "CVE-2019-17546", "CVE-2019-18197", "CVE-2019-18808", "CVE-2019-18809", "CVE-2019-19046", "CVE-2019-19056", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19068", "CVE-2019-19072", "CVE-2019-19221", "CVE-2019-19319", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19524", "CVE-2019-19533", "CVE-2019-19537", "CVE-2019-19543", "CVE-2019-19602", "CVE-2019-19767", "CVE-2019-19770", "CVE-2019-19906", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20218", "CVE-2019-20386", "CVE-2019-20387", "CVE-2019-20388", "CVE-2019-20454", "CVE-2019-20636", "CVE-2019-20807", "CVE-2019-20812", "CVE-2019-20907", "CVE-2019-20916", "CVE-2019-3884", "CVE-2019-5018", "CVE-2019-6977", "CVE-2019-6978", "CVE-2019-8625", "CVE-2019-8710", "CVE-2019-8720", "CVE-2019-8743", "CVE-2019-8764", "CVE-2019-8766", "CVE-2019-8769", "CVE-2019-8771", "CVE-2019-8782", "CVE-2019-8783", "CVE-2019-8808", "CVE-2019-8811", "CVE-2019-8812", "CVE-2019-8813", "CVE-2019-8814", "CVE-2019-8815", "CVE-2019-8816", "CVE-2019-8819", "CVE-2019-8820", "CVE-2019-8823", "CVE-2019-8835", "CVE-2019-8844", "CVE-2019-8846", "CVE-2019-9455", "CVE-2019-9458", "CVE-2020-0305", "CVE-2020-0444", "CVE-2020-10018", "CVE-2020-10029", "CVE-2020-10732", "CVE-2020-10749", "CVE-2020-10751", "CVE-2020-10763", "CVE-2020-10773", "CVE-2020-10774", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-11668", "CVE-2020-11793", "CVE-2020-12465", "CVE-2020-12655", "CVE-2020-12659", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13249", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-14019", "CVE-2020-14040", "CVE-2020-14381", "CVE-2020-14382", "CVE-2020-14391", "CVE-2020-14422", "CVE-2020-15157", "CVE-2020-15503", "CVE-2020-15862", "CVE-2020-15999", "CVE-2020-16166", "CVE-2020-1716", "CVE-2020-1730", "CVE-2020-1751", "CVE-2020-1752", "CVE-2020-1971", "CVE-2020-24490", "CVE-2020-24659", "CVE-2020-25211", "CVE-2020-25641", "CVE-2020-25658", "CVE-2020-25661", "CVE-2020-25662", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-25694", "CVE-2020-25696", "CVE-2020-2574", "CVE-2020-26160", "CVE-2020-2752", "CVE-2020-27813", "CVE-2020-27846", "CVE-2020-28362", "CVE-2020-2922", "CVE-2020-29652", "CVE-2020-3862", "CVE-2020-3864", "CVE-2020-3865", "CVE-2020-3867", "CVE-2020-3868", "CVE-2020-3885", "CVE-2020-3894", "CVE-2020-3895", "CVE-2020-3897", "CVE-2020-3898", "CVE-2020-3899", "CVE-2020-3900", "CVE-2020-3901", "CVE-2020-3902", "CVE-2020-6405", "CVE-2020-7595", "CVE-2020-7774", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8563", "CVE-2020-8566", "CVE-2020-8619", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8647", "CVE-2020-8648", "CVE-2020-8649", "CVE-2020-9327", "CVE-2020-9802", "CVE-2020-9803", "CVE-2020-9805", "CVE-2020-9806", "CVE-2020-9807", "CVE-2020-9843", "CVE-2020-9850", "CVE-2020-9862", "CVE-2020-9893", "CVE-2020-9894", "CVE-2020-9895", "CVE-2020-9915", "CVE-2020-9925", "CVE-2021-2007", "CVE-2021-26539", "CVE-2021-3121"], "modified": "2021-03-02T01:56:45", "id": "RHSA-2020:5633", "href": "https://access.redhat.com/errata/RHSA-2020:5633", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "almalinux": [{"lastseen": "2021-08-11T15:48:34", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n* dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-19T12:37:10", "type": "almalinux", "title": "Important: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-08-11T13:42:14", "id": "ALSA-2021:0150", "href": "https://errata.almalinux.org/8/ALSA-2021-0150.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "ics": [{"lastseen": "2023-09-10T01:18:29", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 8.1**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor: **dnsmasq by Simon Kelley\n * **Equipment: **dnsmasq\n * **Vulnerabilities:** Heap-based Buffer Overflow, Insufficient Verification of Data Authenticity, Use of a Broken or Risky Cryptographic Algorithm\n\nCISA is aware of a public report, known as \u201cDNSpooq\u201d that details vulnerabilities found in dnsmasq, a prevalent lightweight DNS and DHCP server developed and maintained by Simon Kelley. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-21-019-01 dnsmasq by Simon Kelley that was published January 19th, 2021, on the ICS webpage on us-cert.cisa.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could result in cache poisoning, remote code execution, and a denial-of-service condition.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following versions of dnsmasq DNS and DHCP server are affected:\n\n * Version 2.8.2 and prior\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nA heap-based buffer overflow was discovered in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data. An attacker on the network could forge DNS replies to be accepted as valid to cause an overflow with arbitrary data in a heap-allocated memory, resulting in code execution.\n\n[CVE-2020-25681](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25681>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.2 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nA buffer overflow vulnerability was discovered in the way dnsmasq extracts names from DNS packets before validating them with DNSSEC data. An attacker on the network could create valid DNS replies to cause an overflow with arbitrary data in a heap-allocated memory, resulting in code execution.\n\n[CVE-2020-25682](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25682>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.3 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nA heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker could create valid DNS replies to cause an overflow in a heap-allocated memory and cause a crash in dnsmasq, resulting in a denial-of-service condition. \n\n[CVE-2020-25683](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25683>) has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 4.2.4 [INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345](<https://cwe.mitre.org/data/definitions/345.html>)\n\nA vulnerability exists when getting a reply from a forwarded query, where dnsmasq checks in forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. This could allow an attacker to perform a DNS cache poisoning attack. \n\n[CVE-2020-25684](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25684>) has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N>)).\n\n#### 4.2.5 [USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327](<https://cwe.mitre.org/data/definitions/327.html>)\n\nDue to a weak hash, an off-path attacker can find several different domains with the same hash, substantially reducing the number of attempts to forge a reply for acceptance by dnsmasq. This could allow an attacker to perform a DNS cache poisoning attack. \n\n[CVE-2020-25685](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25685>) has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N>)).\n\n#### 4.2.6 [INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345](<https://cwe.mitre.org/data/definitions/345.html>)\n\nA flaw was found when receiving a query, where dnsmasq does not check for an existing pending request for the same name and forwards a new request. This could allow an off-path attacker on the network to substantially reduce the number of attempts to forge a reply and have it accepted by dnsmasq. \n\n[CVE-2020-25686](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25686>) has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N>)).\n\n#### 4.2.7 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nA heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker could create valid DNS replies and cause an overflow in heap-allocated memory, resulting in a denial-of-service condition. \n\n[CVE-2020-25687](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25687>) has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** United Kingdom\n\n### 4.4 RESEARCHER\n\nMoshe Kol and Shlomi Oberman of JSOF reported these vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\nThe maintainers of dnsmasq recommend users update to the [latest version (2.83 or later)](<http://www.thekelleys.org.uk/dnsmasq/>) \nThe researcher has recommended the following mitigations and workarounds:\n\n * Implement Layer 2 security features such as DHCP snooping and IP source guard. \n * Configure dnsmasq not to listen to WAN interfaces if unnecessary. \n * Reduce the maximum queries allowed to be forwarded with the option --dns-forward-max=<queries>. The default is 150, but it could be lowered.\n * Temporarily disable DNSSEC validation option until you patch.\n * Use DNS-over-HTTPS or DNS-over-TLS to connect to upstream server.\n\n**\\--------- Begin Update A Part 1 of 1 ---------**\n\nAdditional vendors affected by the reported vulnerabilities have also released security advisories related to their affected products. Those advisories are as follows:\n\n * [Siemens](<https://cert-portal.siemens.com/productcert/pdf/ssa-646763.pdf>)\n\n**\\--------- End Update A Part 1 of 1 ---------**\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nCISA also recommends users take the following measures to protect themselves from social engineering attacks: \n\n * Do not click web links or open unsolicited attachments in email messages. \n * Refer to [Recognizing and Avoiding Email Scams](<https://us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams. \n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nNo known public exploits specifically target these vulnerabilities. \n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-09T12:00:00", "type": "ics", "title": "dnsmasq by Simon Kelley (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-03-09T12:00:00", "id": "ICSA-21-019-01", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-019-01", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "redhatcve": [{"lastseen": "2023-06-06T15:06:14", "description": "A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n#### Mitigation\n\nThe only known way to mitigate this flaw is to disable DNSSEC altogether, by removing the `--dnssec` command line option or the `dnssec` option from dnsmasq configuration file. \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:18:18", "type": "redhatcve", "title": "CVE-2020-25681", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-04-06T07:32:33", "id": "RH:CVE-2020-25681", "href": "https://access.redhat.com/security/cve/cve-2020-25681", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "photon": [{"lastseen": "2021-11-03T20:57:22", "description": "An update of {'dnsmasq'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2021-2.0-0312", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-22T00:00:00", "id": "PHSA-2021-2.0-0312", "href": "https://github.com/vmware/photon/wiki/Security-Updates-2-312", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-06-06T15:56:07", "description": "Updates of ['dnsmasq'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-0312", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-22T00:00:00", "id": "PHSA-2021-0312", "href": "https://github.com/vmware/photon/wiki/Security-Update-2.0-312", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-06-06T16:16:44", "description": "Updates of ['dnsmasq', 'sudo'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-0356", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2021-23240"], "modified": "2021-01-22T00:00:00", "id": "PHSA-2021-0356", "href": "https://github.com/vmware/photon/wiki/Security-Update-1.0-356", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-11-03T11:48:04", "description": "An update of {'dnsmasq', 'sudo'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2021-1.0-0356", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2021-23240"], "modified": "2021-01-22T00:00:00", "id": "PHSA-2021-1.0-0356", "href": "https://github.com/vmware/photon/wiki/Security-Updates-1.0-356", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-05-12T18:44:51", "description": "Updates of ['sudo', 'nodejs', 'atftp', 'dnsmasq'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-0186", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-6097", "CVE-2020-8265", "CVE-2021-23240"], "modified": "2021-01-22T00:00:00", "id": "PHSA-2021-0186", "href": "https://github.com/vmware/photon/wiki/Security-Update-3.0-186", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-09-26T09:58:58", "description": "Updates of ['dnsmasq', 'sudo', 'atftp', 'nodejs'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2021-3.0-0186", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-6097", "CVE-2020-8265", "CVE-2021-23240"], "modified": "2021-01-22T00:00:00", "id": "PHSA-2021-3.0-0186", "href": "https://github.com/vmware/photon/wiki/Security-Update-3.0-186", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:24:32", "description": "[2.79-13.1]\n- Fix various issues in dnssec validation (CVE-2020-25681)\n- Accept responses only on correct sockets (CVE-2020-25684)\n- Use strong verification on queries (CVE-2020-25685)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-20T00:00:00", "type": "oraclelinux", "title": "dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-20T00:00:00", "id": "ELSA-2021-0150", "href": "http://linux.oracle.com/errata/ELSA-2021-0150.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "archlinux": [{"lastseen": "2023-06-06T15:10:14", "description": "Arch Linux Security Advisory ASA-202101-38\n==========================================\n\nSeverity: High\nDate : 2021-01-20\nCVE-ID : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684\nCVE-2020-25685 CVE-2020-25686 CVE-2020-25687\nPackage : dnsmasq\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1470\n\nSummary\n=======\n\nThe package dnsmasq before version 2.83-1 is vulnerable to multiple\nissues including arbitrary code execution, denial of service and\ninsufficient validation.\n\nResolution\n==========\n\nUpgrade to 2.83-1.\n\n# pacman -Syu \"dnsmasq>=2.83-1\"\n\nThe problems have been fixed upstream in version 2.83.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-25681 (arbitrary code execution)\n\nA heap-based buffer overflow was discovered in dnsmasq before version\n2.83 in the way it sorts RRSets before validating them with DNSSEC\ndata. An attacker on the network, who can forge DNS replies such as\nthat they are accepted as valid, could use this flaw to cause an\noverflow with arbitrary data in a heap-allocated memory, possibly\nexecuting code on the machine.\n\n- CVE-2020-25682 (arbitrary code execution)\n\nA buffer overflow vulnerability was discovered in the way dnsmasq\nbefore version 2.83 extract names from DNS packets before validating\nthem with DNSSEC data. An attacker on the network, who can create valid\nDNS replies, could use this flaw to cause an overflow with arbitrary\ndata in a heap-allocated memory, possibly executing code on the\nmachine. The flaw is in rfc1035.c:extract_name() function, which writes\ndata to the memory pointed by name assuming MAXDNAME*2 bytes are\navailable in the buffer. However, in some code execution paths it is\npossible extract_name() gets passed an offset from the base buffer,\nthus reducing in practice the number of available bytes that can be\nwritten in the buffer.\n\n- CVE-2020-25683 (denial of service)\n\nA heap-based buffer overflow was discovered in dnsmasq before version\n2.83 when DNSSEC is enabled and before it validates the received DNS\nentries. A remote attacker, who can create valid DNS replies, could use\nthis flaw to cause an overflow in a heap-allocated memory. This flaw is\ncaused by the lack of length checks in rtc1035.c:extract_name(), which\ncould be abused to make the code execute memcpy() with a negative size\nin get_rdata() and cause a crash in dnsmasq, resulting in a Denial of\nService.\n\n- CVE-2020-25684 (insufficient validation)\n\nA flaw was found when getting a reply from a forwarded query, where\ndnsmasq before version 2.83 checks in forward.c:reply_query() if the\nreply destination address/port is used by the pending forwarded\nqueries. However, it does not use the address/port to retrieve the\nexact forwarded query, substantially reducing the number of attempts an\nattacker on the network would have to perform to forge a reply and get\nit accepted by dnsmasq. This issue contrasts with RFC5452, which\nspecifies a query's attributes that all must be used to match a reply.\nThis flaw allows an attacker to perform a DNS Cache Poisoning attack.\nIf chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity\nof a successful attack is reduced.\n\n- CVE-2020-25685 (insufficient validation)\n\nWhen getting a reply from a forwarded query, dnsmasq before version\n2.83 checks in forward.c:reply_query() which one is the forwarded query\nthat matches the reply by only using a weak hash of the query name. Due\nto the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\nwhen it is) an off-path attacker can find several different domains all\nhaving the same hash, substantially reducing the number of attempts he\nwould have to perform to forge a reply and get it accepted by dnsmasq.\nThis is in contrast with RFC5452, which specifies that query name is\none of the attributes of a query that must be used to match a reply.\nThis flaw could be abused to perform a DNS Cache Poisoning attack. If\nchained with CVE-2020-25684 the attack complexity of a successful\nattack is reduced.\n\n- CVE-2020-25686 (insufficient validation)\n\nA flaw was found when receiving a query, where dnsmasq before version\n2.83 does not check for an existing pending request for the same name\nand forwards a new request. By default, a maximum of 150 pending\nqueries can be sent to upstream servers, so there can be at most 150\nqueries for the same name. This flaw allows an off-path attacker on the\nnetwork to substantially reduce the number of attempts that would have\nto be performed to forge a reply and have it accepted by dnsmasq. This\nissue is mentioned in the \"Birthday Attacks\" section of RFC5452. If\nchained with CVE-2020-25684, the attack complexity of a successful\nattack is reduced.\n\n- CVE-2020-25687 (denial of service)\n\nA heap-based buffer overflow was discovered in dnsmasq before version\n2.83 when DNSSEC is enabled and before it validates the received DNS\nentries. A remote attacker, who can create valid DNS replies, could use\nthis flaw to cause an overflow in a heap-allocated memory. This flaw is\ncaused by the lack of length checks in rtc1035.c:extract_name(), which\ncould be abused to make the code execute memcpy() with a negative size\nin sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of\nService.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code, bypass validation and\ncrash the application through crafted DNS responses.\n\nReferences\n==========\n\nhttps://www.openwall.com/lists/oss-security/2021/01/19/1\nhttps://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html\nhttps://www.jsof-tech.com/disclosures/dnspooq/\nhttps://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a\nhttps://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca\nhttps://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2d765867c597db18be9d876c9c17e2c0fe1953cd\nhttps://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b\nhttps://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=15b60ddf935a531269bb8c68198de012a4967156\nhttps://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914\nhttps://security.archlinux.org/CVE-2020-25681\nhttps://security.archlinux.org/CVE-2020-25682\nhttps://security.archlinux.org/CVE-2020-25683\nhttps://security.archlinux.org/CVE-2020-25684\nhttps://security.archlinux.org/CVE-2020-25685\nhttps://security.archlinux.org/CVE-2020-25686\nhttps://security.archlinux.org/CVE-2020-25687", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-20T00:00:00", "type": "archlinux", "title": "[ASA-202101-38] dnsmasq: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-20T00:00:00", "id": "ASA-202101-38", "href": "https://security.archlinux.org/ASA-202101-38", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "openwrt": [{"lastseen": "2023-06-06T15:27:21", "description": "** Package upgrade ** \nYou need to update the affected dnsmasq package variant you're using with the command below. \n \n \n opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)\n\nThen verify, that you're running fixed version. \n \n \n opkg list-installed dnsmasq*\n\nThe above command should output following: \n \n \n dnsmasq - 2.80-16.2 - for stable 19.07 release\n dnsmasq - 2.83-1 - for master/snapshot\n\nThe fix is contained in the following and later versions: \n\n * OpenWrt 19.07: 19.07.6 (fixed by [v19.07.6-0-gb12284a14ce9](<https://git.openwrt.org/8055e38794741313f8f4e6059f83c71dc0ab1d1c> \"https://git.openwrt.org/8055e38794741313f8f4e6059f83c71dc0ab1d1c\" ))\n\n * OpenWrt master: 2021-01-19 (fixed by [reboot-15541-ge87c0d934c54](<https://git.openwrt.org/e87c0d934c54d0b07caef1db3af170510acf3cfa> \"https://git.openwrt.org/e87c0d934c54d0b07caef1db3af170510acf3cfa\" ))\n\n\n** Configuration based mitigation ** \nIf upgrading is not possible, it is possible to mitigate some of the issues through configuration changes. Note that these settings may have unintended side-effects. \n\nMitigation for DNS cache poisoning is disabling of caching: \n \n \n uci set dhcp.@dnsmasq[0].cachesize='0'\n\nMitigation for DNSSEC vulnerability is disabling of DNSSEC feature: \n \n \n uci set dhcp.@dnsmasq[0].dnssec='0'\n\nReduce the maximum of queries allowed to be forwarded from 150 to 50: \n \n \n uci set dhcp.@dnsmasq[0].dnsforwardmax='50'\n\nThen you should commit changes and restart dnsmasq: \n \n \n uci commit dhcp\n /etc/init.d/dnsmasq restart\n *[DNS]: Domain Name System\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:00:54", "type": "openwrt", "title": "Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-02-02T10:53:41", "id": "OPENWRT-SA-2021-01-19-1", "href": "https://openwrt.org/advisory/2021-01-19-1", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "mageia": [{"lastseen": "2023-06-06T16:28:09", "description": "Multiples vulnerabilities have been discovered in dnsmasq up to version 2.82: \\- subtle errors in dnsmasq's protections against cache-poisoning attacks (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686) \\- buffer overflow in dnsmasq's DNSSEC code (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687) \n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-29T19:05:33", "type": "mageia", "title": "Updated dnsmasq packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-29T19:05:33", "id": "MGASA-2021-0059", "href": "https://advisories.mageia.org/MGASA-2021-0059.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "cert": [{"lastseen": "2023-06-20T17:13:14", "description": "### Overview\n\nDnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment.\n\nThese vulnerabilities are also tracked as [ICS-VU-668462](<https://us-cert.cisa.gov/ics/advisories/icsa-21-019-01>) and referred to as [DNSpooq](<https://www.jsof-tech.com/disclosures/dnspooq>).\n\n### Description\n\n[Dnsmasq](<http://www.thekelleys.org.uk/dnsmasq/doc.html>) is widely used open-source software that provides DNS forwarding and caching (and also a DHCP server). Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.\n\nJSOF reported multiple memory corruption vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.\n\n * CVE-2020-25681: A heap-based buffer overflow in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data in an unsolicited DNS response\n * CVE-2020-25682: A buffer overflow vulnerability in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data\n * CVE-2020-25683: A heap-based buffer overflow in get_rdata subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries\n * CVE-2020-25687: A heap-based buffer overflow in sort_rrset subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries\n\nJSOF also reported vulnerabilities in DNS response validation that can result in DNS cache poisoning.\n\n * CVE-2020-25684: Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses\n * CVE-2020-25685: Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses\n * CVE-2020-25686: Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to perform a [\"Birthday Attack\"](<https://tools.ietf.org/html/rfc5452#section-5>) scenario to forge replies and potentially poison the DNS cache\n\nNote: These cache poisoning scenarios and defenses are discussed in [IETF RFC5452](<https://tools.ietf.org/html/rfc5452>).\n\n### Impact\n\nThe memory corruption vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure, and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to arbitrary sites.\n\n### Solution\n\n#### Apply updates\n\nThese vulnerabilities are addressed in [dnsmasq 2.83](<http://www.thekelleys.org.uk/dnsmasq/?C=M;O=D>). Users of IoT and embedded devices that use dnsmasq should contact their vendors.\n\n#### Follow security best-practices\n\nConsider the following security best-practices to protect DNS infrastructure:\n\n * Protect your DNS clients using [stateful-inspection firewall](<https://www.govinfo.gov/content/pkg/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855/pdf/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855.pdf>) that provide DNS security (e.g., stateful firewalls and NAT devices can block unsolicited DNS responses, DNS application layer inspection can prevent forwarding of anomalous DNS packets).\n * Provide secure DNS recursion service with features such as DNSSEC validation and the interim [0x20-bit encoding](<https://astrolavos.gatech.edu/articles/increased_dns_resistance.pdf>) as part of enterprise DNS services where applicable. \n * Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.\n * Implement a [Secure By Default](<https://en.wikipedia.org/wiki/Secure_by_default>) configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).\n\n### Acknowledgements\n\nMoshe Kol and Shlomi Oberman of [JSOF](<https://jsof-tech.com>) researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their [GitHub Security Advisory](<https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-github-security-advisories>) platform for collaboration.\n\nThis document was written by Vijay Sarvepalli.\n\n### Vendor Information\n\n434904\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Arista Networks Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: January 04, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Check Point __ Affected\n\nNotified: 2020-09-24 Updated: 2021-02-08\n\n**Statement Date: February 08, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nCheck Point Gaia is not vulnerable.\n\nCheck Point SMB is vulnerable to CVE-2020-25686, CVE-2020-25684, CVE-2020-25685 on internal (LAN, Wi-Fi) networks. And updated firware is available at https://supportcenter.checkpoint.com/\n\n### Cisco __ Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: January 02, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnsmasq-dns-2021-c5mrdf3g>\n\n### Cradlepoint __ Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: January 19, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Affected \n \n#### Vendor Statement\n\nCradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed.\n\n**Affected Components:** NCOS versions up to 7.21.20\n\n**Recommendations:** \nPromptly test and upgrade to the latest NCOS version upon release \nDisable (do not enable) DNSSEC until patched \nAuthenticate clients to the LAN using 802.1X \nDo not configure firewall to expose DNS services (UDP port 53) on WAN interfaces\n\n### Default Configuration: DNSSEC disabled\n\n**Cradlepoint Severity:** Low/Medium (dependent upon environment) \n**Potentially Impacted:** Local LAN users, clients and services \n**Potential attack path:** Local LAN \n**Associated CVEs:** CVE-2020-25684, CVE-2020-25685, CVE-2020-25686\n\n### Modified Configuration: DNSSEC enabled\n\n**Cradlepoint Severity:** Medium/High (dependent upon environment) \n**Potentially Impacted:** Device and sub-services; Local LAN users, clients and services \n**Potential attack path:** Local LAN \n**Associated CVEs:** CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687\n\n### Modified Configuration: DNS services exposed on WAN\n\n**Cradlepoint Severity:** Critical (dependent upon environment) \n**Potentially Impacted:** See above \n**Potential attack paths:** WAN interfaces; Local LAN \n**Associated CVEs:** See above\n\n#### References\n\n * <https://cradlepoint.com/about-us/trust/>\n\n### dd-wrt Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: January 11, 2021**\n\n**CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Digi International __ Affected\n\nNotified: 2020-09-24 Updated: 2021-07-20\n\n**Statement Date: July 20, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Affected \n \n#### Vendor Statement\n\nDigi International has patched this in firmware versions 21.2.X.X on all of our DAL based products, which includes: Digi AnywhereUSB Plus 2 Digi AnywhereUSB Plus 8 Digi AnywhereUSB Plus 8 WiFi Digi AnywhereUSB Plus 24 Digi AnywhereUSB Plus 24 WiFi Digi Connect EZ1 (mini) Digi Connect EZ2 Digi Connect EZ4 Digi ConnectIT4 Digi ConnectIT16 Digi ConnectIT48 Digi ConnectIT-Mini Digi EX15 Digi EX15-PR Digi EX15W Digi EX15W-PR Digi EX12 Digi EX12-PR Digi IX10 Digi IX14 Digi IX15 Digi IX20\n\nDigi IX20-PR Digi IX20W Digi IX20W-PR Digi LR54 Digi LR54W Digi TX54-Dual-Cellular Digi TX54-Dual-Cellular-PR Digi TX54-Dual-Wi-Fi Digi TX54-Single-Cellular Digi TX54-Single-Cellular-PR Digi TX64 Digi TX64-PR Digi TX64-Rail-Single-Cellular-PR Digi VirtualDAL Digi VirtualDAL-PR AcceleratedConcepts 6350-SR AcceleratedConcepts 6355-SR AcceleratedConcepts 6330-MX AcceleratedConcepts 6335-MX AcceleratedConcepts 6310-DX AcceleratedConcepts 5400-RM AcceleratedConcepts 5401-RM AcceleratedConcepts 6300-CX\n\n#### References\n\n * <https://ftp1.digi.com/support/firmware/dal/ConnectIT/ConnectIT_21.2.39.67_93001322.pdf>\n\n### Fujitsu __ Affected\n\nNotified: 2020-12-15 Updated: 2021-06-02\n\n**Statement Date: May 31, 2021**\n\n**CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nFujitsu is aware of the security vulnerabilities in software dnsmasq, also known as \"DNSpooq\". \n\nAffected products are Fujitsu INTELLIEDGE, Fujitsu ServerView Services for ISM, Fujitsu SOA SysRollout Service, Fujitsu SOA Profile Management Service, Fujitsu ISM (Core) and Fujitsu FlexFrame Orchestrator (SAP). Updates are pending or already available.\n\nThe Fujitsu PSIRT has updated the state for Fujitsu PSIRT-IS-2021-011900 on https://security.ts.fujitsu.com (Security Notices) accordingly.\n\nIn case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Fujitsu-PSIRT@ts.fujitsu.com).\n\n### Juniper Networks __ Affected\n\nNotified: 2020-09-25 Updated: 2021-02-08\n\n**Statement Date: February 04, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nThe Juniper SIRT has investigated the impact of these vulnerabilities on Juniper products. Juniper Networks Junos OS, Space, and Contrail products are unaffected by these vulnerabilities.\n\nJuniper Mist Access Points (APs) ship with Dnsmasq and are only affected by the vulnerabilities via DNS (CVE-2020-25684, CVE-2020-25685, CVE-2020-25686) 4.0/CVSS:3.1.\n\nThe Wi-Fi mPIM (Mini-PIM) card for SRX branch devices ship with Dnsmasq enabled by default and is reachable from the network. Only vulnerabilities (CVE-2020-25684, CVE-2020-25685, CVE-2020-25686): 4.0/CVSS:3.1 via DNS affect this card.\n\nCode fixes are underway for Mist and the Mini-PIM card and customers should upgrade when those fixes are available.\n\nSecurity Incident Response Team Juniper Networks\n\n### NetBSD __ Affected\n\nNotified: 2020-09-28 Updated: 2023-06-20\n\n**Statement Date: June 19, 2023**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nNetBSD does not ship dnsmasq and is not affected.\n\npkgsrc users, on any platform, who have elected to install net/dnsmasq may be affected, and were informed back in 2020 through the pkg-vulnerabilities database.\n\n### NETGEAR __ Affected\n\nNotified: 2020-09-28 Updated: 2021-01-19\n\n**Statement Date: January 14, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Affected \n \n#### Vendor Statement\n\nNetgear has released fixes for multiple Dnsmasq security vulnerabilities on the following product affected models: RAX40 running firmware versions prior to v1.0.3.88 RAX35 running firmware versions prior to v1.0.3.88\n\nNETGEAR strongly recommends that you download the latest firmware as soon as possible.\n\nYou and follow the steps mentioned in the security advisory to upgrade it to the latest version. https://kb.netgear.com/000062628/Security-Advisory-for-Multiple-Dnsmasq-Vulnerabilities-on-Some-Routers-PSV-2020-0463\n\nThanks, Rachit Dogra\n\n#### References\n\n * <https://kb.netgear.com/000062628/Security-Advisory-for-Multiple-Dnsmasq-Vulnerabilities-on-Some-Routers-PSV-2020-0463>\n\n### OpenWRT __ Affected\n\nNotified: 2020-09-28 Updated: 2021-01-19\n\n**Statement Date: January 19, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**Vendor Statement:** \nOnly package dnsmasq-full, which is not installed by default, is affected. \n**CVE-2020-25682**| Affected \n**Vendor Statement:** \nOnly package dnsmasq-full, which is not installed by default, is affected. \n**CVE-2020-25683**| Affected \n**Vendor Statement:** \nOnly package dnsmasq-full, which is not installed by default, is affected. \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**Vendor Statement:** \nOnly package dnsmasq-full, which is not installed by default, is affected. \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Affected \n**Vendor Statement:** \nOnly package dnsmasq-full, which is not installed by default, is affected. \n \n#### Vendor Statement\n\nOpenWrt shipps the following variants: * dnsmasq * dnsmasq-dhcpv6 * dnsmasq-full\n\nOnly dnsmasq-full has support for DNSSEC and only this variant is affected by the problems in the DNSSEC code as far as we understand them. The other problems affect all variants. The default installation contains the dnsmasq package only, but the user can install the other variants.\n\n#### References\n\n * <https://openwrt.org/advisory/2021-01-19-1>\n\n### Pi-Hole Affected\n\nNotified: 2020-10-12 Updated: 2021-01-19\n\n**Statement Date: January 11, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Red Hat __ Affected\n\nNotified: 2020-09-25 Updated: 2021-01-19\n\n**Statement Date: January 15, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**Vendor Statement:** \nThis issue affects the versions of dnsmasq as shipped with Red Hat Enterprise Linux 8, but it does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 because they are not compiled with DNSSEC support. \n** References: **\n\n * <https://access.redhat.com/security/cve/cve-2020-25681> \n**CVE-2020-25682**| Affected \n**Vendor Statement:** \nThis issue affects the versions of dnsmasq as shipped with Red Hat Enterprise Linux 8, but it does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 because they are not compiled with DNSSEC support. \n** References: **\n\n * <https://access.redhat.com/security/cve/cve-2020-25682> \n**CVE-2020-25683**| Affected \n**Vendor Statement:** \nThis issue affects the versions of dnsmasq as shipped with Red Hat Enterprise Linux 8, but it does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 because they are not compiled with DNSSEC support. \n** References: **\n\n * <https://access.redhat.com/security/cve/cve-2020-25683> \n**CVE-2020-25684**| Affected \n**Vendor Statement:** \nThis issue affects the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8. Red Hat OpenStack Platform (RHOSP) and Red Hat Virtualization (RHV) are indirectly affected as well. \n** References: **\n\n * <https://access.redhat.com/security/cve/cve-2020-25684> \n**CVE-2020-25685**| Affected \n**Vendor Statement:** \nThis issue affects the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8. Red Hat Enterprise Linux 8 provides dnsmasq compiled with DNSSEC support, thus SHA-1 is used as a hash for query names instead of CRC32, making collisions harder to find. Red Hat OpenStack Platform (RHOSP) and Red Hat Virtualization (RHV) are indirectly affected as well. \n** References: **\n\n * <https://access.redhat.com/security/cve/cve-2020-25685> \n**CVE-2020-25686**| Affected \n**Vendor Statement:** \nThis issue affects the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8. Red Hat OpenStack Platform (RHOSP) and Red Hat Virtualization (RHV) are indirectly affected as well. \n** References: **\n\n * <https://access.redhat.com/security/cve/cve-2020-25686> \n**CVE-2020-25687**| Affected \n**Vendor Statement:** \nThis issue affects the versions of dnsmasq as shipped with Red Hat Enterprise Linux 8, but it does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 because they are not compiled with DNSSEC support. \n** References: **\n\n * <https://access.redhat.com/security/cve/cve-2020-25687> \n \n#### References\n\n * <https://access.redhat.com/security/vulnerabilities/RHSB-2021-001>\n\n### Siemens __ Affected\n\nNotified: 2020-10-12 Updated: 2021-01-19\n\n**Statement Date: January 19, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nSiemens is aware of the security vulnerabilities in the Open Source component DNSmasq, as disclosed on 2021-01-19 and also known as \"DNSpooq\".\n\nThe impact to Siemens products is described in the Security Advisory SSA-646763, published on the Siemens ProductCERT page (https://www.siemens.com/cert/advisories).\n\nIn case of questions regarding this Security Advisory, please contact Siemens ProductCERT (productcert@siemens.com).\n\n#### References\n\n * <https://cert-portal.siemens.com/productcert/pdf/ssa-646763.pdf>\n\n### Sierra Wireless __ Affected\n\nNotified: 2020-09-28 Updated: 2021-01-20\n\n**Statement Date: January 20, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Affected \n \n#### Vendor Statement\n\nSierra Wireless products are affected by some of these vulnerabilities. Please check the security bulletin linked in the reference section for details on your product. Sierra Wireless would like to thank JSOF for discovering and responsibly reporting these issues, as well as the efforts of CERT/CC for coordinating the response.\n\n#### References\n\n * <https://sierrawireless.com/security>\n * <https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2021-002/>\n\n### Sophos __ Affected\n\nNotified: 2020-09-28 Updated: 2021-01-20\n\n**Statement Date: January 20, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n** References: **\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red> \n**CVE-2020-25682**| Not Affected \n** References: **\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red> \n**CVE-2020-25683**| Not Affected \n** References: **\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red> \n**CVE-2020-25684**| Affected \n** References: **\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red> \n**CVE-2020-25685**| Affected \n** References: **\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red> \n**CVE-2020-25686**| Affected \n** References: **\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red> \n**CVE-2020-25687**| Not Affected \n** References: **\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red> \n \n#### Vendor Statement\n\nSophos Red devices are impacted. More information to follow\n\n#### References\n\n * <https://community.sophos.com/b/security-blog/posts/advisory-resolved-multiple-dnsmasq-vulnerabilities-aka-dnspooq-in-sophos-red>\n\n### SUSE Linux Affected\n\nNotified: 2020-09-28 Updated: 2021-01-19\n\n**Statement Date: January 14, 2021**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Synology __ Affected\n\nNotified: 2020-09-28 Updated: 2021-01-22\n\n**Statement Date: January 21, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.synology.com/security/advisory/Synology_SA_21_01>\n\n### Technicolor __ Affected\n\nNotified: 2020-09-15 Updated: 2021-01-19\n\n**Statement Date: September 29, 2020**\n\n**CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Affected \n**Vendor Statement:** \nwe confirm that dnsmaq is affected by this vulnerability. however it is very unlikely to see real world exploitation of this vulnerability. It requires dnsmasq to be configured to do DNS requests to a rogue DNS that will serve these unrelated CNAME records. Devices are configured to request ISPs DNS. Moreover, these unrelated CNAME records are not valid and cannot be configured in a regular zone file; they require custom DNS server to be served. So, if you control a custom DNS and you can configure dnsmasq to request this DNS, no need to exploit a vulnerability to poison the cache, just answer what you want. Risk level : LOW CVSS v2 : 3.6 \n** References: **\n\n * <https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:P/E:POC/RL:U/RC:C)> \n**CVE-2020-25683**| Not Affected \n**Vendor Statement:** \nDNSSEC is not available on dnsmasq version we use \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n### Wind River Affected\n\nNotified: 2020-09-29 Updated: 2021-01-19\n\n**Statement Date: October 14, 2020**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Affected \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Zephyr Project __ Affected\n\nNotified: 2020-09-29 Updated: 2021-01-19\n\n**Statement Date: October 27, 2020**\n\n**CVE-2020-25681**| Affected \n---|--- \n**CVE-2020-25682**| Affected \n**CVE-2020-25683**| Affected \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nThe Zephyr project consists of a core RTOS, numerous additional modules, and an extensive suite of test builds and test cases. This vulnerability does not directly affect the RTOS, or the additional modules. However, some of the test cases use the dnsmasq tool, which could render these testing environment vulnerable. In these test cases, the dnsmasq tool is used strictly by RTOS+test code running within the QEMU simulation environment. Attacks on dnsmasq could result in test failures causing a denial of service to the project (due to incorrect failures).\n\n### A10 Networks __ Not Affected\n\nNotified: 2020-09-23 Updated: 2021-07-20\n\n**Statement Date: June 23, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nDnsmasq is not used in current and supported A10 Networks, Inc products.\n\n### Actiontec __ Not Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: January 19, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nwe do not use dnsmasq in our products\n\n### Afero Not Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: November 02, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Android Open Source Project __ Not Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: November 23, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWhile Android does have Dnsmasq code but it is used in a limited capacity and cannot be attacked or exploited in the manner described in this report.\n\n### AVM GmbH __ Not Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: October 30, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**Vendor Statement:** \nAVM does not use dnsmasq \n**CVE-2020-25687**| Not Affected \n**Vendor Statement:** \nAVM does not use dnsmasq \n \n#### Vendor Statement\n\nAVM doesn't use the dnsmasq project within its firmwares.\n\n### Barracuda Networks Not Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: January 19, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Blackberry QNX Not Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: October 30, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Brocade Communication Systems __ Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: November 25, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nNo Brocade Fibre Channel Products from Broadcom are currently known to be affected by these vulnerabilities.\n\n### eCosCentric __ Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: November 25, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nDo not use/supply Dnsmasq\n\n### eero __ Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: January 15, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\neero products do not use the affected functionality of the affected software products, and so are unaffected by these vulnerabilities.\n\n### Espressif Systems __ Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-20\n\n**Statement Date: January 20, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nEspressif doesn't use dnsmasq in any product SDKs or other published software, so is not affected.\n\n### F5 Networks __ Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: December 05, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**Vendor Statement:** \nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities. \n**CVE-2020-25682**| Not Affected \n**Vendor Statement:** \nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities. \n**CVE-2020-25683**| Not Affected \n**Vendor Statement:** \nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities. \n**CVE-2020-25684**| Not Affected \n**Vendor Statement:** \nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities. \n**CVE-2020-25685**| Not Affected \n**Vendor Statement:** \nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities. \n**CVE-2020-25686**| Not Affected \n**Vendor Statement:** \nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities. \n**CVE-2020-25687**| Not Affected \n**Vendor Statement:** \nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities. \n \n#### Vendor Statement\n\nThe package dnsmasq and/or associated binaries are not installed on F5 products, therefore they are not affected by these vulnerabilities.\n\n### FreeBSD __ Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: September 24, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nFreeBSD does not ship with dnsmasq as part of the base system. dnsmasq is available as part of the FreeBSD ports/pkg system, but the responsibility for analysis of risk lies with the administrator that chooses to install and configure dnsmasq.\n\n### F-Secure Corporation __ Not Affected\n\nNotified: 2020-09-24 Updated: 2021-10-06\n\n**Statement Date: June 24, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nNot Affected.\n\n### Google Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: December 07, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HCC Embedded Not Affected\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: November 26, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Infoblox Not Affected\n\nNotified: 2020-09-25 Updated: 2021-01-19\n\n**Statement Date: October 16, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Intel Not Affected\n\nNotified: 2020-09-25 Updated: 2021-01-19\n\n**Statement Date: January 19, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LANCOM Systems GmbH __ Not Affected\n\nNotified: 2020-09-25 Updated: 2021-01-19\n\n**Statement Date: January 14, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nLANCOM Systems products are not affected by these vulnerabilities.\n\n### lwIP __ Not Affected\n\nNotified: 2020-09-25 Updated: 2021-01-19\n\n**Statement Date: December 04, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nlwIP does not use dnsmasq code. We've had similar bugs like 1 and 2 here in the past (with their own CVE), but these have been fixed quite a while ago.\n\n### Mbed TLS Not Affected\n\nNotified: 2020-09-23 Updated: 2021-01-19\n\n**Statement Date: September 24, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### McAfee Not Affected\n\nNotified: 2020-09-28 Updated: 2021-06-02\n\n**Statement Date: May 17, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### MikroTik __ Not Affected\n\nNotified: 2020-09-28 Updated: 2021-01-19\n\n**Statement Date: September 29, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**Vendor Statement:** \nDnsmasq not used in MikroTik software \n**CVE-2020-25682**| Not Affected \n**Vendor Statement:** \nDnsmasq not used in MikroTik software \n**CVE-2020-25683**| Not Affected \n**Vendor Statement:** \nDnsmasq not used in MikroTik software \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Not Affected \n**Vendor Statement:** \nDnsmasq not used in MikroTik software \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nDnsmasq not used in MikroTik software\n\n### Miredo __ Not Affected\n\nNotified: 2020-09-28 Updated: 2021-01-19\n\n**Statement Date: January 19, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\ndnsmasq is not used.\n\n### netsnmp Not Affected\n\nNotified: 2020-09-28 Updated: 2021-01-19\n\n**Statement Date: October 30, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Paessler Not Affected\n\nNotified: 2020-09-28 Updated: 2022-11-21\n\n**Statement Date: March 28, 2022**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Peplink Not Affected\n\nNotified: 2020-09-28 Updated: 2021-10-06\n\n**Statement Date: September 16, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Pulse Secure Not Affected\n\nNotified: 2020-09-28 Updated: 2021-02-11\n\n**Statement Date: February 10, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Rockwell Automation Not Affected\n\nNotified: 2020-09-28 Updated: 2021-01-19\n\n**Statement Date: November 30, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Treck __ Not Affected\n\nNotified: 2020-09-29 Updated: 2021-06-02\n\n**Statement Date: April 25, 2021**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nTreck does not use Dnsmasq.\n\n### VMware Not Affected\n\nNotified: 2020-09-29 Updated: 2021-01-19\n\n**Statement Date: November 03, 2020**\n\n**CVE-2020-25681**| Not Affected \n---|--- \n**CVE-2020-25682**| Not Affected \n**CVE-2020-25683**| Not Affected \n**CVE-2020-25684**| Not Affected \n**CVE-2020-25685**| Not Affected \n**CVE-2020-25686**| Not Affected \n**CVE-2020-25687**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ceragon Networks Inc __ Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: January 18, 2021**\n\n**CVE-2020-25681**| Unknown \n---|--- \n**Vendor Statement:** \nnot relevant \n**CVE-2020-25682**| Unknown \n**Vendor Statement:** \nnot relevant \n**CVE-2020-25683**| Unknown \n**Vendor Statement:** \nnot relevant \n**CVE-2020-25684**| Unknown \n**Vendor Statement:** \nnot relevant \n**CVE-2020-25685**| Unknown \n**Vendor Statement:** \nnot relevant \n**CVE-2020-25686**| Unknown \n**Vendor Statement:** \nnot relevant \n**CVE-2020-25687**| Unknown \n**Vendor Statement:** \nnot relevant \n \n### D-Link Systems Inc. __ Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19\n\n**Statement Date: September 30, 2020**\n\n**CVE-2020-25681**| Unknown \n---|--- \n**Vendor Statement:** \nD-Link has been informed that DNSmasq, a popular caching DNS server and DHCP server, is vulnerable to DNS cache poisoning attacks. We have promptly started our investigation to determine whether D-Link routers are affected, and we will provide updates as soon as we have more information. D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates. \n** References: **\n\n * security@dlink.com \n**CVE-2020-25682**| Unknown \n**Vendor Statement:** \nD-Link has been informed that DNSmasq, a popular caching DNS server and DHCP server, is vulnerable to DNS cache poisoning attacks. We have promptly started our investigation to determine whether D-Link routers are affected, and we will provide updates as soon as we have more information. D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates. \n** References: **\n\n * security@dlink.com \n**CVE-2020-25683**| Unknown \n**Vendor Statement:** \nD-Link has been informed that DNSmasq, a popular caching DNS server and DHCP server, is vulnerable to DNS cache poisoning attacks. We have promptly started our investigation to determine whether D-Link routers are affected, and we will provide updates as soon as we have more information. D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates. \n** References: **\n\n * security@dlink.com \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**Vendor Statement:** \nD-Link has been informed that DNSmasq, a popular caching DNS server and DHCP server, is vulnerable to DNS cache poisoning attacks. We have promptly started our investigation to determine whether D-Link routers are affected, and we will provide updates as soon as we have more information. D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates. \n** References: **\n\n * security@dlink.com \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nD-Link has been informed that DNSmasq, a popular caching DNS server and DHCP server, is vulnerable to DNS cache poisoning attacks. We have promptly started our investigation to determine whether D-Link routers are affected, and we will provide updates as soon as we have more information.\n\nD-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates.\n\n#### References\n\n * security@dlink.com\n\n### IBM Corporation (zseries) __ Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19\n\n**Statement Date: September 29, 2020**\n\n**CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nAs a best practice for IBM Z, IBM strongly recommends that clients obtain access to the IBM Z and LinuxONE Security Portal and subscribe to the Security Portal\u2019s automatic notification process to get access to the latest service information on security and system integrity related APARs for z/OS and z/VM.\n\n### ACCESS Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Actelis Networks Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ADATA Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ADTRAN Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Aerohive Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AhnLab Inc Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AirWatch Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Akamai Technologies Inc. Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alcatel-Lucent Enterprise Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Allied Telesis Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alpine Linux Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Altran Intelligent Systems Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Amazon Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ANTlabs Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Apple Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arch Linux Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ARRIS Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Aruba Networks Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Aspera Inc. Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ASUSTeK Computer Inc. Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Atheros Communications Inc Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AT&T Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Avaya Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Belden Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Belkin Inc. Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Bell Canada Enterprises Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### BlackBerry Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### BlueCat Networks Inc. Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Blue Coat Systems Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Blunk Microsystems Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### BoringSSL Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Broadcom Unknown\n\nNotified: 2020-09-23 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Buffalo Technology Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### BullGuard Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cambium Networks Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CA Technologies Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CERT-UBIK Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cesanta Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cirpack Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CMX Systems Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Comcast Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Commscope Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Contiki OS Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cricket Wireless Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cypress Semiconductor Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CZ.NIC Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Debian GNU/Linux Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell EMC Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell SecureWorks Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Deutsche Telekom Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Devicescape Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Diebold Election Systems Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### dnsmasq Unknown\n\nNotified: 2020-09-18 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### EfficientIP Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ENEA Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ericsson Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### European Registry for Internet Domains Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Express Logic Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Extreme Networks Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Fastly Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Fedora Project Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### FNet Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Force10 Networks Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Fortinet Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Foundry Brocade Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### FreeRTOS Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Geexbox Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Gentoo Linux Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### GFI Software Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### GNU adns Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### GNU glibc Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Grandstream Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Green Hills Software Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hitachi Unknown\n\nNotified: 2020-09-24 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hitron Unknown\n\nNotified: 2021-01-19 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Honeywell Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HP Inc. Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HTC Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Huawei Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Numa-Q Division (Formerly Sequent) Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ICASI Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### InfoExpress Inc. Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Inmarsat Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Internet Systems Consortium Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Internet Systems Consortium - DHCP Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### INTEROP Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IP Infusion Inc. Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### JH Software Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### JPCERT/CC Vulnerability Handling Team Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Kwikset Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lancope Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lantronix Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lenovo Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LG Electronics Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LibreSSL Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Linksys Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LITE-ON Technology Corporation Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LiteSpeed Technologies Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lynx Software Technologies Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### m0n0wall Unknown\n\nNotified: 2020-09-25 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Marconi Inc. Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Marvell Semiconductor Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### MaxLinear Unknown\n\nNotified: 2021-01-13 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### MediaTek Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Medtronic Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Men & Mice Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Metaswitch Networks Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Micrium Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Microchip Technology Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Micro Focus Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Microsoft Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Minim Unknown\n\nNotified: 2021-01-19 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Mitel Networks Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Monroe Electronics Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Motorola Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Muonics Inc. Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### National Cyber Security Center Netherlands Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### National Cyber Security Centre Finland Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NCSC-FI Vulnerability Coordinator Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NEC Corporation Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetBurner Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetComm Wireless Limited Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NETSCOUT Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### netsnmpj Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NIKSUN Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nixu Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NLnet Labs Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nokia Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nominum Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OleumTech Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenConnect Ltd Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenDNS Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenSSL Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Oracle Corporation Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Oryx Embedded Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Palo Alto Networks Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### pfSense Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Philips Electronics Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### PHPIDS Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### PowerDNS Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Proxim Inc. Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### QLogic Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### QNAP Unknown\n\nNotified: 2020-10-08 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quadros Systems Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quagga Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Qualcomm Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quantenna Communications Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Riverbed Technologies Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Roku Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ruckus Wireless Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ruijie Networks Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SafeNet Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Samsung Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Samsung Mobile Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Samsung Semiconductor Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Schneider Electric Unknown\n\nNotified: 2020-12-08 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Secure64 Software Corporation Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SEIKO EPSON Corp. / Epson America Inc. Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Slackware Linux Inc. Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SMC Networks Inc. Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SmoothWall Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Snort Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SonicWall Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sonos Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sony Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sourcefire Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Symantec Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Systech Unknown\n\nNotified: 2020-09-28 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### systemd Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TCPWave Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TDS Telecom Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Tenable Network Security Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Thales Group Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19\n\n**Statement Date: September 30, 2020**\n\n**CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TippingPoint Technologies Inc. Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Tizen Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Toshiba Commerce Solutions Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TP-LINK Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Turbolinux Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubee Interactive Unknown\n\nNotified: 2021-01-19 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubiquiti Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubuntu Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Unisys Corporation Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Univention Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Untangle Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vertical Networks Inc. Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### VMware Carbon Black Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vultures List Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### WizNET Technology Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### wolfSSL Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Xiaomi Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Xilinx Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Zebra Technologies Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ZTE Corporation Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Zyxel Unknown\n\nNotified: 2020-09-29 Updated: 2021-01-19 **CVE-2020-25681**| Unknown \n---|--- \n**CVE-2020-25682**| Unknown \n**CVE-2020-25683**| Unknown \n**CVE-2020-25684**| Unknown \n**CVE-2020-25685**| Unknown \n**CVE-2020-25686**| Unknown \n**CVE-2020-25687**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 253 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://www.kb.cert.org/vuls/id/800113>\n * <https://kb.cert.org/vuls/id/973527>\n * <https://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRICIII_9-12-12_WG4-FINAL-Report-DNS-Best-Practices.pdf>\n * <https://astrolavos.gatech.edu/articles/increased_dns_resistance.pdf>\n * <https://www.icann.org/news/blog/security-best-practices-dnssec-validation>\n * <http://www.thekelleys.org.uk/dnsmasq/doc.html>\n * <https://www.jsof-tech.com/disclosures/dnspooq>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-25681 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-25681>) [CVE-2020-25682 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-25682>) [CVE-2020-25683 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-25683>) [CVE-2020-25684 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-25684>) [CVE-2020-25685 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-25685>) [CVE-2020-25686 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-25686>) [CVE-2020-25687 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-25687>) \n---|--- \n**API URL: ** | VINCE JSON | CSAF \n**Date Public:** | 2021-01-19 \n**Date First Published:** | 2021-01-19 \n**Date Last Updated: ** | 2023-06-20 15:43 UTC \n**Document Revision: ** | 13 \n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T00:00:00", "type": "cert", "title": "Dnsmasq is vulnerable to memory corruption and cache poisoning", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-06-20T15:43:00", "id": "VU:434904", "href": "https://www.kb.cert.org/vuls/id/434904", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "freebsd": [{"lastseen": "2023-06-06T15:28:27", "description": "\n\nSimon Kelley reports:\n\n\n\t There are broadly two sets of problems. The first is subtle errors\n\t in dnsmasq's protections against the chronic weakness of the DNS\n\t protocol to cache-poisoning attacks; the Birthday attack, Kaminsky,\n\t etc.[...]\n\t \n\n\t the second set of errors is a good old fashioned buffer overflow in\n\t dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an\n\t installation is at risk.\n\t \n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-16T00:00:00", "type": "freebsd", "title": "dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2020-09-16T00:00:00", "id": "5B5CF6E5-5B51-11EB-95AC-7F9491278677", "href": "https://vuxml.freebsd.org/freebsd/5b5cf6e5-5b51-11eb-95ac-7f9491278677.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "malwarebytes": [{"lastseen": "2021-01-29T12:26:29", "description": "The research team at [JSOF](<https://www.jsof-tech.com/disclosures/dnspooq/>) found seven vulnerabilities in dnsmasq and have dubbed them DNSpooq, collectively. Now, some of you may shrug and move on, probably because you haven't heard of dnsmasq before. Well, before you go, you should know that dnsmasq is used in a wide variety of phones, routers, and other network devices, besides some Linux distributions like Red-Hat. And that\u2019s just a selection of what may be affected.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerabilities disclosed by the JSOF team have been listed as [CVE-2020-25687](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25687>), [CVE-2020-25683](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25683>), [CVE-2020-25682](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25682>), [CVE-2020-25684](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684>), [CVE-2020-25685](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685>), [CVE-2020-25686](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686>) and [CVE-2020-25681](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25681>). \n\n### What is DNSpooq?\n\nDNSpooq is the name the researchers gave to a collection of seven vulnerabilities they found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and so far JSOF has identified approximately 40 vendors that use it in their products, as well as some major Linux distributions. DNSpooq includes some DNS cache poisoning vulnerabilities, and buffer overflow vulnerabilities that could potentially be used to achieve remote code execution (RCE).\n\n[Domain Name System (DNS)](<https://blog.malwarebytes.com/glossary/domain-name-system/>) is an internet protocol that translates user-friendly, readable URLs, such as malwarebytes.com, to their numeric IP addresses, allowing the computer to identify a server without the user having to remember and input its actual IP address. Basically, you could say DNS is the phonebook of the internet. DNS name resolution is a complex process that can be interfered with at [many levels](<https://blog.malwarebytes.com/cybercrime/2015/09/dns-hijacks-what-to-look-for/>).\n\nDnsmasq (short for DNS masquerade) is free software that can be used for DNS forwarding and caching, and DHCP services. It is intended for smaller networks and can run under Linux, macOS, and Android. In essence, dnsmasq accepts DNS queries and either answers them from a local cache or forwards them to an actual DNS server.\n\n### What is DNS cache poisoning?\n\nIf you have ever moved your website to a different server, you will have noticed how long it can take before everyone actually lands on the new IP address. This happens because DNS records are normally cached in a number of different places, for performance. Records can be cached in your browser, by your operating system, on your network, by your ISP, and so on. When a cache entry expires it will update from the next upstream cache. Because of this, it can take a while for new records to get updated in all the places they're stored. This phenomenon is referred to as DNS propagation. \n\nIf false information is added to a compromised DNS cache, that information can spread downstream to other caches. This method of providing a false IP address is called DNS cache poisoning. Cache poisoning can be done at all levels, local, router and even at the DNS server level.\n\n### What is a buffer overflow?\n\nA buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches an address boundary and writes into an adjacent memory region. Buffer overflows can be used to overwrite useful data, cause network crashes, or replace memory with arbitrary code that the instruction pointer later executes. In that last case it may offer an opportunity for RCE.\n\n### Who should worry?\n\nJSOF has identified over 40 companies and respective products they believe are using dnsmasq. You can find a complete list on their [website about DNSpooq, under Vendors](<https://www.jsof-tech.com/disclosures/dnspooq/#DNSPOOQ-scenarios>). Some names worth mentioning: Asus, AT&T, Cisco, Dell, Google, Huawei, Linksys, Motorola, Netgear, Siemens, Ubiquiti, and Zyxel. Check out the list if you want to verify whether you are using one of the affected devices.\n\n### What can be done about DNSpooq?\n\nFor users of dnsmasq the quickest fix is to update it to version 2.83 or above. \n\nIn the long run it would be better for all of us if we started using a less vulnerable method than DNS, like [DNSSEC](<https://realhosting.nl/helpdesk/wat-is-dnssec/>), which protects against cache poisoning. Unfortunately is still not very widely deployed. Neither is [HSTS](<https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security>), which is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks.\n\nStay safe, everyone!\n\n_Header image and research courtesy of JSOF_\n\nThe post [DNSpooq bugs haunt dnsmasq](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/dnspooq-the-bugs-haunting-dnsmasq/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-21T15:56:12", "type": "malwarebytes", "title": "DNSpooq bugs haunt dnsmasq", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-21T15:56:12", "id": "MALWAREBYTES:663327DFA13BEF28EEE013C568D709A6", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/dnspooq-the-bugs-haunting-dnsmasq/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "suse": [{"lastseen": "2022-11-06T17:58:55", "description": "An update that fixes 7 vulnerabilities is now available.\n\nDescription:\n\n This update for dnsmasq fixes the following issues:\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\n Poisoning attacks.\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\n multiple potential Heap-based overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2021-129=1", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-20T00:00:00", "type": "suse", "title": "Security update for dnsmasq (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-20T00:00:00", "id": "OPENSUSE-SU-2021:0129-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6B57K75B7OP43O3RNF2Q6TTLL4DZ6KPE/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-04-18T12:40:44", "description": "An update that fixes 7 vulnerabilities is now available.\n\nDescription:\n\n This update for dnsmasq fixes the following issues:\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\n Poisoning attacks.\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\n multiple potential Heap-based overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-124=1", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-20T00:00:00", "type": "suse", "title": "Security update for dnsmasq (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-20T00:00:00", "id": "OPENSUSE-SU-2021:0124-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GY5KV2WHBZG4XCWVKZOU4DFCHSMBT5KV/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "threatpost": [{"lastseen": "2021-01-20T18:43:11", "description": "Researchers have uncovered a set of flaws in dnsmasq, popular open-source software used for caching Domain Name System (DNS) responses for home and commercial routers and servers.\n\nThe set of seven flaws are comprised of buffer overflow issues and flaws allowing for DNS cache-poisoning attacks (also known as DNS spoofing). If exploited, these flaws could be chained together to allow remote code execution, denial of service and other attacks.\n\nResearchers have labeled the set of vulnerabilities \u201cDNSpooq,\u201d a combination of DNS spoofing, the concept of \u201ca spook spying on internet traffic,\u201d and the \u201cq\u201d at the end of dnsmasq.\n\n[](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit>)\n\nClick to Register \u2013 New Browser Tab Opens\n\n\u201cDNSpooq is a series of vulnerabilities found in the ubiquitous open-source software dnsmasq, demonstrating that DNS is still insecure, 13 years after the last major attack was described,\u201d said researchers with the JSOF research lab, [in a recent analysis](<https://www.jsof-tech.com/disclosures/dnspooq/>).\n\nDnsmasq is installed on many home and commercial routers and servers in many organizations. The software\u2019s storing of responses to previously asked DNS queries locally speeds up the DNS resolution process; however it has many other uses as well, including providing DNS services to support Wi-Fi hot-spots, enterprise guest networks, virtualization and ad blocking.\n\nResearchers have identified at least 40 vendors who utilize dnsmasq in their products, including Cisco routers, Android phones, Aruba devices, Technicolor and Red Hat, as well as Siemens, Ubiquiti networks, Comcast and many others. In all, \u201cmillions\u201d of devices are affected, they said.\n\n## **DNS Cache Poisoning**\n\nThree of the flaws (CVE-2020-25686, CVE-2020-25684 and CVE-2020-25685) could enable DNS cache poisoning.\n\nDNS cache poisoning is a type of attack that enables DNS queries to be subverted. In a real-world situation, an attacker here could use unsolicited DNS responses to poison the DNS cache, convince unknowing internet browsers to a specially-crafted attacker-owned website, and then redirect them to malicious servers.\n\nThis could potentially lead to fraud and various other malicious attacks, if victims believe they are browsing to one website but are actually routed to another, said researchers. Other attacks could include phishing attacks or malware distribution.\n\n\u201cTraffic that might be subverted includes regular Internet browsing as well as other types of traffic, such as emails, SSH, remote desktop, RDP video and voice calls, software updates and so on,\u201d said researchers.\n\n## **Buffer Overflow**\n\nResearchers also shed light on four buffer-overflow vulnerabilities (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 and CVE-2020-25681) in dnsmasq. The memory-corruption flaws can be triggered by a remote attacker using crafted DNS responses. The attack can lead to denial of service, information exposure and potentially remote code execution.\n\nWhile the majority of these flaws are heap-based buffer-overflow issues that could lead to denial of service, one of the flaws is a high-severity issue that could potentially enable remote code execution when dnsmasq is configured to use domain name system security extensions (DNSSEC), a set of protocols that add a layer of security to the domain name system.\n\n\u201cFor the buffer overflows and remote-code execution, devices that don\u2019t use the DNSSEC feature will be immune,\u201d said researchers. \u201cDNSSEC is a security feature meant to prevent cache poisoning attacks and so we would not recommend turning it off, but rather updating to the newest version of dnsmasq.\u201d\n\nResearchers said that the approximately 1 million dnsmasq servers openly visible on the internet (according to Shodan) make attacks launched via the internet \u201cvery simple,\u201d and that there are several real-world scenarios that set up an attacker to exploit these flaws.\n\n\u201cThis may be possible in some cases, (we believe rare), even if the forwarder is not open to the internet,\u201d they said.\n\nAlso, if a dnsmasq server is only configured to listen to connections received from within an internal network \u2013 and an attacker gains a foothold on any device in that network \u2013 they would be able to perform the attack. Or, if a dnsmasq server is only configured to listen to connections received from within an internal network but the network is open (including an airport network or a corporate guest network) an attacker could perform the attack.\n\n## **The Impact**\n\nThe flaws have varying severity, with CVE-2020-25681 and CVE-2020-25682 being high severity. However, researchers said if these vulnerabilities were chained together they could lead to an array of multi-stage attacks.\n\n\u201cThis is because exploiting some of the vulnerabilities makes it easier to exploit others,\u201d said researchers. \u201cFor example, we found that combining CVE-2020-25682, CVE-2020-25684, and CVE-2020-25685 would result in CVE-2020-25682 having a lower attack complexity (with the same impact) and result in a combined CVSS of 9.8 according to our analysis.\u201d\n\nResearchers disclosed the flaws in August and publicly revealed them this month. These vulnerabilities are addressed in [dnsmasq 2.83;](<http://www.thekelleys.org.uk/dnsmasq/?C=M;O=D>) users of internet-of-things (IoT) and embedded devices that use dnsmasq should contact their vendors for further information regarding updates.\n\n\u201cWith the help of CERT/CC and volunteers from several companies, a working group was formed, combining the expertise and extended reach of members from JSOF, CERT/CC, Cisco, Google, Red Hat, Pi-hole and Simon Kelley, the maintainer of dnsmasq, to ensure that the DNSpooq vulnerabilities would be effectively fixed and well documented and communicated,\u201d said researchers.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m._\n", "cvss3": {}, "published": "2021-01-19T21:25:10", "type": "threatpost", "title": "DNSpooq Flaws Allow DNS Hijacking of Millions of Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T21:25:10", "id": "THREATPOST:8B647363122969148DB6173D5DA44833", "href": "https://threatpost.com/dnspooq-flaws-allow-dns-hijacking-of-millions-of-devices/163163/", "cvss": {"score": 0.0, "vector": "NONE"}}], "slackware": [{"lastseen": "2023-06-06T15:11:58", "description": "New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/dnsmasq-2.84-i586-1_slack14.2.txz: Upgraded.\n This update fixes bugs and remotely exploitable security issues:\n Use the values of --min-port and --max-port in outgoing\n TCP connections to upstream DNS servers.\n Fix a remote buffer overflow problem in the DNSSEC code. Any\n dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,\n referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683\n CVE-2020-25687.\n Be sure to only accept UDP DNS query replies at the address\n from which the query was originated. This keeps as much entropy\n in the {query-ID, random-port} tuple as possible, to help defeat\n cache poisoning attacks. Refer: CVE-2020-25684.\n Use the SHA-256 hash function to verify that DNS answers\n received are for the questions originally asked. This replaces\n the slightly insecure SHA-1 (when compiled with DNSSEC) or\n the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.\n Handle multiple identical near simultaneous DNS queries better.\n Previously, such queries would all be forwarded\n independently. This is, in theory, inefficent but in practise\n not a problem, _except_ that is means that an answer for any\n of the forwarded queries will be accepted and cached.\n An attacker can send a query multiple times, and for each repeat,\n another {port, ID} becomes capable of accepting the answer he is\n sending in the blind, to random IDs and ports. The chance of a\n succesful attack is therefore multiplied by the number of repeats\n of the query. The new behaviour detects repeated queries and\n merely stores the clients sending repeats so that when the\n first query completes, the answer can be sent to all the\n clients who asked. Refer: CVE-2020-25686.\n For more information, see:\n https://vulners.com/cve/CVE-2020-25681\n https://vulners.com/cve/CVE-2020-25682\n https://vulners.com/cve/CVE-2020-25683\n https://vulners.com/cve/CVE-2020-25684\n https://vulners.com/cve/CVE-2020-25685\n https://vulners.com/cve/CVE-2020-25686\n https://vulners.com/cve/CVE-2020-25687\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/dnsmasq-2.84-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/dnsmasq-2.84-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/dnsmasq-2.84-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/dnsmasq-2.84-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/dnsmasq-2.84-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/dnsmasq-2.84-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dnsmasq-2.84-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/dnsmasq-2.84-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n21656a83c165a785f6fadab6a1af1719 dnsmasq-2.84-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n90cd9eda688df52f01a984506b1248b1 dnsmasq-2.84-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n2bde4367a591308ecde01f438cd1c01e dnsmasq-2.84-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nb926b57679a8c420259c72fab90c73b6 dnsmasq-2.84-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n433bd15bc94f577ac2235d246ec222c0 dnsmasq-2.84-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n76081b1d11ac9b9ec3f8580163713163 dnsmasq-2.84-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n5dab2510f2d679a10b2b9881f8578053 n/dnsmasq-2.84-i586-1.txz\n\nSlackware x86_64 -current package:\nd1fca4e7b70ebdb7136288a3f1707813 n/dnsmasq-2.84-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg dnsmasq-2.84-i586-1_slack14.2.txz\n\nThen restart dnsmasq if you are using it:\n > sh /etc/rc.d/rc.dnsmasq restart", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T20:59:31", "type": "slackware", "title": "[slackware-security] dnsmasq", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-02-09T20:59:31", "id": "SSA-2021-040-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.585069", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "cisco": [{"lastseen": "2023-06-24T08:28:08", "description": "A set of previously unknown vulnerabilities in the DNS forwarder implementation of dnsmasq were disclosed on January 19, 2021. The vulnerabilities are collectively known as DNSpooq.\n\nExploitation of these vulnerabilities could result in remote code execution or denial of service (DoS), or may allow an attacker to more easily forge DNS answers that can poison DNS caches, depending on the specific vulnerability.\n\nMultiple Cisco products are affected by these vulnerabilities.\n\nCisco will release software updates that address these vulnerabilities. Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products [\"#vp\"] section of this advisory.\n\nNote: At the time of publication, no Cisco products were found to be affected by the remote code execution and DoS vulnerabilities, which are identified by the following Common Vulnerabilities and Exposures (CVE) IDs:\n\nCVE-2020-25681\nCVE-2020-25682\nCVE-2020-25683\nCVE-2020-25687\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnsmasq-dns-2021-c5mrdf3g [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnsmasq-dns-2021-c5mrdf3g\"]", "cvss3": {}, "published": "2021-01-19T12:15:00", "type": "cisco", "title": "Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-08-30T17:24:42", "id": "CISCO-SA-DNSMASQ-DNS-2021-C5MRDF3G", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnsmasq-dns-2021-c5mrdf3g", "cvss": {"score": 5.9, "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "ubuntu": [{"lastseen": "2023-06-13T15:15:33", "description": "## Releases\n\n * Ubuntu 20.10 \n * Ubuntu 20.04 LTS\n * Ubuntu 18.04 ESM\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * dnsmasq \\- Small caching DNS proxy and DHCP/TFTP server\n\nUSN-4698-1 fixed vulnerabilities in Dnsmasq. The updates introduced \nregressions in certain environments related to issues with multiple \nqueries, and issues with retries. This update fixes the problem.\n\nOriginal advisory details:\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled \nmemory when sorting RRsets. A remote attacker could use this issue to cause \nDnsmasq to hang, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2020-25681, CVE-2020-25687)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled \nextracting certain names. A remote attacker could use this issue to cause \nDnsmasq to hang, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2020-25682, CVE-2020-25683)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly \nimplemented address/port checks. A remote attacker could use this issue to \nperform a cache poisoning attack. (CVE-2020-25684)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly \nimplemented query resource name checks. A remote attacker could use this \nissue to perform a cache poisoning attack. (CVE-2020-25685)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled \nmultiple query requests for the same resource name. A remote attacker could \nuse this issue to perform a cache poisoning attack. (CVE-2020-25686)\n\nIt was discovered that Dnsmasq incorrectly handled memory during DHCP \nresponse creation. A remote attacker could possibly use this issue to \ncause Dnsmasq to consume resources, leading to a denial of service. This \nissue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 \nLTS. (CVE-2019-14834)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "ubuntu", "title": "Dnsmasq regression", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14834", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-02-24T00:00:00", "id": "USN-4698-2", "href": "https://ubuntu.com/security/notices/USN-4698-2", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-07-24T23:37:07", "description": "## Releases\n\n * Ubuntu 20.10 \n * Ubuntu 20.04 LTS\n * Ubuntu 18.04 ESM\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * dnsmasq \\- Small caching DNS proxy and DHCP/TFTP server\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled \nmemory when sorting RRsets. A remote attacker could use this issue to cause \nDnsmasq to hang, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2020-25681, CVE-2020-25687)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled \nextracting certain names. A remote attacker could use this issue to cause \nDnsmasq to hang, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2020-25682, CVE-2020-25683)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly \nimplemented address/port checks. A remote attacker could use this issue to \nperform a cache poisoning attack. (CVE-2020-25684)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly \nimplemented query resource name checks. A remote attacker could use this \nissue to perform a cache poisoning attack. (CVE-2020-25685)\n\nMoshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled \nmultiple query requests for the same resource name. A remote attacker could \nuse this issue to perform a cache poisoning attack. (CVE-2020-25686)\n\nIt was discovered that Dnsmasq incorrectly handled memory during DHCP \nresponse creation. A remote attacker could possibly use this issue to \ncause Dnsmasq to consume resources, leading to a denial of service. This \nissue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 \nLTS. (CVE-2019-14834)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T00:00:00", "type": "ubuntu", "title": "Dnsmasq vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14834", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T00:00:00", "id": "USN-4698-1", "href": "https://ubuntu.com/security/notices/USN-4698-1", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}]}
CVE-2020-25681
