DATABASE RESOURCES PRICING ABOUT US

{"id": "ORACLELINUX_ELSA-2021-0153.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle Linux 7 : dnsmasq (ELSA-2021-0153)", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-0153 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2021-01-19T00:00:00", "modified": "2022-12-07T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/145075", "reporter": "This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://linux.oracle.com/errata/ELSA-2021-0153.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686"], "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "immutableFields": [], "lastseen": "2023-05-18T15:22:50", "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:0150"]}, {"type": "altlinux", "idList": ["864D4BAD00FC35A95D316BFD81ABFD93"]}, {"type": "amazon", "idList": ["ALAS2-2021-1587"]}, {"type": "archlinux", "idList": ["ASA-202101-38"]}, {"type": "arista", "idList": ["ARISTA:0061"]}, {"type": "centos", "idList": ["CESA-2021:0153"]}, {"type": "cert", "idList": ["VU:434904"]}, {"type": "cisco", "idList": ["CISCO-SA-DNSMASQ-DNS-2021-C5MRDF3G"]}, {"type": "cve", "idList": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2604-1:9EC79", "DEBIAN:DSA-4844-1:75AB4", "DEBIAN:DSA-4844-1:99BC8"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-25684", "DEBIANCVE:CVE-2020-25685", "DEBIANCVE:CVE-2020-25686"]}, {"type": "f5", "idList": ["F5:K98221124"]}, {"type": "fedora", "idList": ["FEDORA:5278930BDD92", "FEDORA:5AB7E30E25EB"]}, {"type": "freebsd", "idList": ["5B5CF6E5-5B51-11EB-95AC-7F9491278677"]}, {"type": "gentoo", "idList": ["GLSA-202101-17"]}, {"type": "githubexploit", "idList": ["CBF3EF2D-3A5B-5110-A374-4A5ADE9AC91A"]}, {"type": "ibm", "idList": ["FC73553AD2A105EE66740C14C0933AC41AB9E38FE9977D31F31C0B40B28F3F0A"]}, {"type": "ics", "idList": ["ICSA-21-019-01"]}, {"type": "mageia", "idList": ["MGASA-2021-0059"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:663327DFA13BEF28EEE013C568D709A6"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1587.NASL", "CENTOS8_RHSA-2021-0150.NASL", "CENTOS_RHSA-2021-0153.NASL", "DEBIAN_DLA-2604.NASL", "DEBIAN_DSA-4844.NASL", "DNSMASQ_2_83.NASL", "EULEROS_SA-2021-1138.NASL", "EULEROS_SA-2021-1244.NASL", "EULEROS_SA-2021-1263.NASL", "EULEROS_SA-2021-1288.NASL", "EULEROS_SA-2021-1374.NASL", "EULEROS_SA-2021-1389.NASL", "EULEROS_SA-2021-1411.NASL", "EULEROS_SA-2021-1469.NASL", "EULEROS_SA-2021-1551.NASL", "EULEROS_SA-2021-1673.NASL", "EULEROS_SA-2021-1733.NASL", "EULEROS_SA-2021-1758.NASL", "EULEROS_SA-2021-1775.NASL", "EULEROS_SA-2021-2134.NASL", "FEDORA_2021-2E4C3D5A9D.NASL", "FEDORA_2021-84440E87BA.NASL", "FREEBSD_PKG_5B5CF6E55B5111EB95AC7F9491278677.NASL", "GENTOO_GLSA-202101-17.NASL", "NEWSTART_CGSL_NS-SA-2021-0091_DNSMASQ.NASL", "NEWSTART_CGSL_NS-SA-2021-0098_DNSMASQ.NASL", "NEWSTART_CGSL_NS-SA-2021-0125_DNSMASQ.NASL", "NEWSTART_CGSL_NS-SA-2021-0183_DNSMASQ.NASL", "NUTANIX_NXSA-AHV-20201105_1045.NASL", "OPENSUSE-2021-124.NASL", "OPENSUSE-2021-129.NASL", "ORACLELINUX_ELSA-2021-0150.NASL", "PHOTONOS_PHSA-2021-1_0-0356_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-2_0-0312_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-3_0-0186_DNSMASQ.NASL", "REDHAT-RHSA-2021-0150.NASL", "REDHAT-RHSA-2021-0151.NASL", "REDHAT-RHSA-2021-0152.NASL", "REDHAT-RHSA-2021-0153.NASL", "REDHAT-RHSA-2021-0154.NASL", "REDHAT-RHSA-2021-0155.NASL", "REDHAT-RHSA-2021-0156.NASL", "REDHAT-RHSA-2021-0240.NASL", "REDHAT-RHSA-2021-0245.NASL", "REDHAT-RHSA-2021-0395.NASL", "REDHAT-RHSA-2021-0401.NASL", "SLACKWARE_SSA_2021-040-01.NASL", "SL_20210119_DNSMASQ_ON_SL7_X.NASL", "SUSE_SU-2021-0162-1.NASL", "SUSE_SU-2021-0163-1.NASL", "SUSE_SU-2021-0166-1.NASL", "SUSE_SU-2021-14603-1.NASL", "UBUNTU_USN-4698-1.NASL"]}, {"type": "openwrt", "idList": ["OPENWRT-SA-2021-01-19-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-0150", "ELSA-2021-0153"]}, {"type": "osv", "idList": ["OSV:CVE-2020-25685", "OSV:DLA-2604-1", "OSV:DSA-4844-1"]}, {"type": "photon", "idList": ["PHSA-2021-0186", "PHSA-2021-0312", "PHSA-2021-0356", "PHSA-2021-1.0-0356", "PHSA-2021-2.0-0312", "PHSA-2021-3.0-0186"]}, {"type": "redhat", "idList": ["RHSA-2020:5633", "RHSA-2021:0150", "RHSA-2021:0151", "RHSA-2021:0152", "RHSA-2021:0153", "RHSA-2021:0154", "RHSA-2021:0155", "RHSA-2021:0156", "RHSA-2021:0240", "RHSA-2021:0245", "RHSA-2021:0281", "RHSA-2021:0395", "RHSA-2021:0401", "RHSA-2021:0799"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-25681", "RH:CVE-2020-25684", "RH:CVE-2020-25685", "RH:CVE-2020-25686"]}, {"type": "slackware", "idList": ["SSA-2021-040-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0124-1", "OPENSUSE-SU-2021:0129-1"]}, {"type": "thn", "idList": ["THN:5CFE6070F72F17DAC9AFD3A651C741D8"]}, {"type": "threatpost", "idList": ["THREATPOST:8B647363122969148DB6173D5DA44833"]}, {"type": "ubuntu", "idList": ["USN-4698-1", "USN-4698-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-25684", "UB:CVE-2020-25685", "UB:CVE-2020-25686"]}, {"type": "veracode", "idList": ["VERACODE:29040", "VERACODE:29041", "VERACODE:29042"]}]}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:0150"]}, {"type": "amazon", "idList": ["ALAS2-2021-1587"]}, {"type": "archlinux", "idList": ["ASA-202101-38"]}, {"type": "centos", "idList": ["CESA-2021:0153"]}, {"type": "cert", "idList": ["VU:434904"]}, {"type": "cisco", "idList": ["CISCO-SA-DNSMASQ-DNS-2021-C5MRDF3G"]}, {"type": "cve", "idList": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4844-1:99BC8"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-25684", "DEBIANCVE:CVE-2020-25685", "DEBIANCVE:CVE-2020-25686"]}, {"type": "f5", "idList": ["F5:K98221124"]}, {"type": "fedora", "idList": ["FEDORA:5278930BDD92", "FEDORA:5AB7E30E25EB"]}, {"type": "freebsd", "idList": ["5B5CF6E5-5B51-11EB-95AC-7F9491278677"]}, {"type": "gentoo", "idList": ["GLSA-202101-17"]}, {"type": "githubexploit", "idList": ["CBF3EF2D-3A5B-5110-A374-4A5ADE9AC91A"]}, {"type": "ibm", "idList": ["FC73553AD2A105EE66740C14C0933AC41AB9E38FE9977D31F31C0B40B28F3F0A"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:663327DFA13BEF28EEE013C568D709A6"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/CENTOS_LINUX-CVE-2020-25685/", "MSF:ILITIES/CENTOS_LINUX-CVE-2020-25686/", "MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-25685/", "MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-25686/", "MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-25684/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-25684/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-25685/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-25686/", "MSF:ILITIES/REDHAT_LINUX-CVE-2020-25686/"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1587.NASL", "CENTOS8_RHSA-2021-0150.NASL", "CENTOS_RHSA-2021-0153.NASL", "DEBIAN_DSA-4844.NASL", "DNSMASQ_2_83.NASL", "EULEROS_SA-2021-1138.NASL", "EULEROS_SA-2021-1244.NASL", "EULEROS_SA-2021-1263.NASL", "EULEROS_SA-2021-1288.NASL", "EULEROS_SA-2021-1374.NASL", "EULEROS_SA-2021-1733.NASL", "EULEROS_SA-2021-1758.NASL", "EULEROS_SA-2021-1775.NASL", "EULEROS_SA-2021-2134.NASL", "FEDORA_2021-2E4C3D5A9D.NASL", "FEDORA_2021-84440E87BA.NASL", "FREEBSD_PKG_5B5CF6E55B5111EB95AC7F9491278677.NASL", "GENTOO_GLSA-202101-17.NASL", "OPENSUSE-2021-124.NASL", "OPENSUSE-2021-129.NASL", "ORACLELINUX_ELSA-2021-0150.NASL", "PHOTONOS_PHSA-2021-1_0-0356_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-2_0-0312_DNSMASQ.NASL", "PHOTONOS_PHSA-2021-3_0-0186_DNSMASQ.NASL", "REDHAT-RHSA-2021-0150.NASL", "REDHAT-RHSA-2021-0151.NASL", "REDHAT-RHSA-2021-0152.NASL", "REDHAT-RHSA-2021-0153.NASL", "REDHAT-RHSA-2021-0154.NASL", "REDHAT-RHSA-2021-0155.NASL", "REDHAT-RHSA-2021-0156.NASL", "REDHAT-RHSA-2021-0240.NASL", "REDHAT-RHSA-2021-0245.NASL", "REDHAT-RHSA-2021-0395.NASL", "REDHAT-RHSA-2021-0401.NASL", "SLACKWARE_SSA_2021-040-01.NASL", "SL_20210119_DNSMASQ_ON_SL7_X.NASL", "SUSE_SU-2021-0162-1.NASL", "SUSE_SU-2021-0163-1.NASL", "SUSE_SU-2021-0166-1.NASL", "SUSE_SU-2021-14603-1.NASL", "UBUNTU_USN-4698-1.NASL"]}, {"type": "openwrt", "idList": ["OPENWRT-SA-2021-01-19-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-0150", "ELSA-2021-0153"]}, {"type": "photon", "idList": ["PHSA-2021-1.0-0356", "PHSA-2021-2.0-0312", "PHSA-2021-3.0-0186"]}, {"type": "redhat", "idList": ["RHSA-2021:0150", "RHSA-2021:0151", "RHSA-2021:0153", "RHSA-2021:0245"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-25681", "RH:CVE-2020-25685", "RH:CVE-2020-25686"]}, {"type": "slackware", "idList": ["SSA-2021-040-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0124-1", "OPENSUSE-SU-2021:0129-1"]}, {"type": "thn", "idList": ["THN:5CFE6070F72F17DAC9AFD3A651C741D8"]}, {"type": "threatpost", "idList": ["THREATPOST:8B647363122969148DB6173D5DA44833"]}, {"type": "ubuntu", "idList": ["USN-4698-1", "USN-4698-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-25684", "UB:CVE-2020-25685", "UB:CVE-2020-25686"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-25684", "epss": 0.00297, "percentile": 0.64786, "modified": "2023-05-07"}, {"cve": "CVE-2020-25685", "epss": 0.00119, "percentile": 0.44568, "modified": "2023-05-07"}, {"cve": "CVE-2020-25686", "epss": 0.00175, "percentile": 0.53192, "modified": "2023-05-07"}], "vulnersScore": 0.7}, "_state": {"dependencies": 1684442002, "score": 1698841580, "epss": 0}, "_internal": {"score_hash": "7b8ca1a9a8cab6dde2aace25e91bf503"}, "pluginID": "145075", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-0153.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145075);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Oracle Linux 7 : dnsmasq (ELSA-2021-0153)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-0153 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's\nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-0153.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.76-16.el7_9.1', 'cpu':'x86_64', 'release':'7'},\n {'reference':'dnsmasq-utils-2.76-16.el7_9.1', 'cpu':'x86_64', 'release':'7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}", "naslFamily": "Oracle Linux Local Security Checks", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:dnsmasq", "p-cpe:/a:oracle:linux:dnsmasq-utils"], "solution": "Update the affected dnsmasq and / or dnsmasq-utils packages.", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2020-25686", "vendor_cvss2": {"score": 4.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "vendor_cvss3": {"score": 3.7, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "vpr": {"risk factor": "Low", "score": "2.2"}, "exploitAvailable": false, "exploitEase": "No known exploits are available", "patchPublicationDate": "2021-01-19T00:00:00", "vulnerabilityPublicationDate": "2021-01-19T00:00:00", "exploitableWith": []}

{"thn": [{"lastseen": "2022-05-09T12:39:12", "description": "[](<https://thehackernews.com/images/-4JMeeulG8oc/YAbH6K-iByI/AAAAAAAABhs/PM1FhHhjD-ItL0VUT0-mvF5-e0V6BdKHQCLcBGAsYHQ/s0/dns-security.jpg>)\n\nCybersecurity researchers have uncovered multiple vulnerabilities in Dnsmasq, a popular open-source software used for caching Domain Name System (DNS) responses, thereby potentially allowing an adversary to mount DNS [cache poisoning attacks](<https://www.cloudflare.com/learning/dns/dns-cache-poisoning/>) and remotely execute malicious code.\n\nThe seven flaws, collectively called \"**DNSpooq**\" by Israeli research firm JSOF, echoes previously disclosed weaknesses in the DNS architecture, making Dnsmasq servers powerless against a range of attacks.\n\n\"We found that Dnsmasq is vulnerable to DNS cache poisoning attack by an off-path attacker (i.e., an attacker that does not observe the communication between the DNS forwarder and the DNS server),\" the researchers noted in a report [published](<https://www.jsof-tech.com/disclosures/dnspooq/>) today.\n\n\"Our attack allows for poisoning of multiple domain names at once, and is a result of several vulnerabilities found. The attack can be completed successfully under seconds or few minutes, and have no special requirements. We also found that many instances of Dnsmasq are misconfigured to listen on the WAN interface, making the attack possible directly from the Internet.\"\n\nDnsmasq, short for [DNS masquerade](<https://en.wikipedia.org/wiki/Dnsmasq>), is a lightweight software with DNS forwarding capabilities used for locally caching DNS records, thus reducing the load on upstream nameservers and improving performance.\n\nAs of September 2020, there were about 1 million vulnerable Dnsmasq instances, JSOF found, with the software included in Android smartphones and millions of routers and other networking devices from Cisco, Aruba, Technicolor, Redhat, Siemens, Ubiquiti, and Comcast.\n\n### Revisiting Kaminsky Attack and SAD DNS\n\nThe concept of DNS cache poisoning is not new. In 2008, security researcher [Dan Kaminsky](<https://www.blackhat.com/html/webinars/kaminsky-DNS.html>) presented his findings of a widespread and critical DNS vulnerability that allowed attackers to launch cache poisoning attacks against most nameservers.\n\nIt exploited a fundamental [design flaw in DNS](<https://www.linuxjournal.com/content/understanding-kaminskys-dns-bug>) \u2014 there can be only 65,536 possible transaction IDs (TXIDs) \u2014 to flood the DNS server with forged responses, which is then cached and leveraged to route users to fraudulent websites.\n\nThe transaction IDs were introduced as a mechanism to thwart the possibility that an authoritative nameserver could be impersonated to craft malicious responses. With this new setup, DNS resolvers attached a 16-bit ID to their requests to the nameservers, which would then send back a response with the same ID.\n\n[](<https://thehackernews.com/images/-JIpwrIjlSqM/YAbJ78WhyKI/AAAAAAAABh4/snm9Ktk3GFALwllYIXNuoqTEVNJcDlL3gCLcBGAsYHQ/s0/browser.jpg>)\n\nBut the limitation in transaction IDs meant that whenever a recursive resolver queries the authoritative nameserver for a given domain (e.g., www.google.com), an attacker could flood the resolver with DNS responses for some or all of the 65 thousand or so possible transaction IDs.\n\nIf the malicious answer with the right transaction ID from the attacker arrives before the response from the authoritative server, then the DNS cache would be effectively poisoned, returning the attacker's chosen IP address instead of the legitimate address for as long as the DNS response was valid.\n\nThe attack banked on the fact that the entire lookup process is unauthenticated, meaning there is no way to verify the identity of the authoritative server, and that DNS requests and responses use UDP (User Datagram Protocol) instead of TCP, thereby making it easy to spoof the replies.\n\nTo counter the problem, a randomized UDP port was used as a second identifier along with the transaction ID, as opposed to just using port 53 for DNS lookups and responses, thus raising the entropy in the order of billions and making it practically infeasible for attackers to guess the correct combination of the source port and the transaction ID.\n\nAlthough the effectiveness of cache poisoning attacks has taken a hit due to the aforementioned source port randomization (SPR) and protocols such as [DNSSEC](<https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions>) (Domain Name System Security Extensions), researchers last November found a \"novel\" side-channel to defeat the randomization by using ICMP rate limits as a side-channel to reveal whether a given port is open or not.\n\nThe attacks \u2014 named \"[SAD DNS](<https://thehackernews.com/2020/11/sad-dns-new-flaws-re-enable-dns-cache.html>)\" or Side-channel AttackeD DNS \u2014 involves sending a burst of spoofed UDP packets to a DNS resolver, each sent over a different port, and subsequently using [ICMP](<https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>) \"Port Unreachable\" messages (or lack thereof) as an indicator to discern if the rate limit has been met and eventually narrow down the exact source port from which the request originated.\n\n### Mount Multi-Staged Attacks That Allow Device Takeover\n\nInterestingly, the DNS cache poisoning attacks detailed by JSOF bear similarities to SAD DNS in that the three vulnerabilities (CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686) aim to reduce the entropy of the Transaction IDs and source port that are required for a response to be accepted.\n\nSpecifically, the researchers noted that despite Dnsmasq's support for SPR, it \"multiplexes multiple TXIDs on top of one port and does not link each port to specifics TXIDs,\" and that the CRC32 algorithm used for preventing DNS spoofing can be trivially defeated, leading to a scenario where \"the attacker needs to get any one of the ports right and any one of the TXIDs right.\"\n\nDnsmasq versions 2.78 to 2.82 were all found to be affected by the three flaws.\n\n[](<https://thehackernews.com/images/-mkgpTUoRhgg/YAbQoObWLDI/AAAAAAAA3ho/JOaPxZjqEAs6I6zCNOBU8hZJDPMoQI4-ACLcBGAsYHQ/s0/dns.jpg>)\n\nThe other four vulnerabilities disclosed by JSOF are heap-based buffer overflows, which can lead to potential remote code execution on the vulnerable device.\n\n\"These vulnerabilities, in and of themselves, would have limited risk, but become especially powerful since they can be combined with the cache-poisoning vulnerabilities to produce a potent attack, allowing for remote code execution,\" the researchers said.\n\nEven worse, these weaknesses can be chained with other network attacks such as [SAD DNS](<https://blog.cloudflare.com/sad-dns-explained/>) and [NAT Slipstreaming](<https://thehackernews.com/2020/11/new-natfirewall-bypass-attack-lets.html>) to mount multi-staged attacks against Dnsmasq resolvers listening on port 53. Even those that are configured to only listen to connections received from within an internal network are at risk if the malicious code gets transmitted via web browsers or other infected devices on the same network.\n\nBesides rendering them susceptible to cache poisoning, the attacks can also permit a bad actor to take control over routers and networking equipment, stage distributed denial-of-service (DDoS) attacks by subverting traffic to a malicious domain, and even prevent users from accessing legitimate sites (reverse DDoS).\n\nThe researchers also raised the possibility of a \"wormable attack\" wherein mobile devices connected to a network that uses an infected Dnsmasq server receives a bad DNS record and is then used to infect a new network upon connecting to it.\n\n### Update Dnsmasq to 2.83\n\nIt's highly recommended that vendors update their Dnsmasq software to the [latest version](<https://www.thekelleys.org.uk/dnsmasq/>) (2.83 or above) that will be released later today in order to mitigate the risk.\n\nAs workarounds, researchers suggest lowering the maximum queries allowed to be forwarded, as well as rely on DNS-over-HTTPS ([DoH](<https://thehackernews.com/2021/01/nsa-suggests-enterprises-use-designated.html>)) or DNS-over-TLS (DoT) to connect to the upstream server.\n\n\"DNS is an Internet-critical protocol whose security greatly affect[s] the security of Internet users,\" the researchers concluded. \"These issues put networking devices at risk of compromise and affect millions of Internet users, which can suffer from the cache poisoning attack presented.\n\n\"This highlight[s] the importance of DNS security in general and the security of DNS forwarders in particular. It also highlights the need to expedite the deployment of DNS security measures such as DNSSEC, DNS transport security, and DNS cookies.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T12:01:00", "type": "thn", "title": "A Set of Severe Flaws Affect Popular DNSMasq DNS Forwarder", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-04-13T11:28:13", "id": "THN:5CFE6070F72F17DAC9AFD3A651C741D8", "href": "https://thehackernews.com/2021/01/a-set-of-severe-flaws-affect-popular.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "redhat": [{"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T12:37:34", "type": "redhat", "title": "(RHSA-2021:0153) Moderate: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-19T13:10:03", "id": "RHSA-2021:0153", "href": "https://access.redhat.com/errata/RHSA-2021:0153", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T12:37:17", "type": "redhat", "title": "(RHSA-2021:0155) Moderate: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-19T13:10:04", "id": "RHSA-2021:0155", "href": "https://access.redhat.com/errata/RHSA-2021:0155", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-25T14:51:18", "type": "redhat", "title": "(RHSA-2021:0245) Moderate: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-25T14:59:02", "id": "RHSA-2021:0245", "href": "https://access.redhat.com/errata/RHSA-2021:0245", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T12:37:20", "type": "redhat", "title": "(RHSA-2021:0154) Moderate: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-19T13:10:04", "id": "RHSA-2021:0154", "href": "https://access.redhat.com/errata/RHSA-2021:0154", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T12:37:12", "type": "redhat", "title": "(RHSA-2021:0156) Moderate: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-19T13:02:00", "id": "RHSA-2021:0156", "href": "https://access.redhat.com/errata/RHSA-2021:0156", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-25T14:03:53", "type": "redhat", "title": "(RHSA-2021:0240) Moderate: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-25T14:12:38", "id": "RHSA-2021:0240", "href": "https://access.redhat.com/errata/RHSA-2021:0240", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T20:41:19", "description": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. \n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Previously, the Red Hat Virtualization Host (RHV-H) repository (rhvh-4-for-rhel-8-x86_64-rpms) did not include the libsmbclient package, which is a dependency for the sssd-ad package. Consequently, the sssd-ad package failed to install.\n\nWith this update, the libsmbclient is now in the RHV-H repository, and sssd-ad now installs on RHV-H. (BZ#1868967)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T15:57:48", "type": "redhat", "title": "(RHSA-2021:0401) Important: Red Hat Virtualization Host security bug fix and enhancement update [ovirt-4.4.4]", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2021-3156"], "modified": "2021-02-03T16:06:16", "id": "RHSA-2021:0401", "href": "https://access.redhat.com/errata/RHSA-2021:0401", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T20:41:19", "description": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* When performing an upgrade of the Red Hat Virtualization Host using the command `yum update`, the yum repository for RHV 4.3 EUS is unreachable\n\nAs a workaround, run the following command:\n`# yum update --releasever=7Server` (BZ#1899378)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T10:15:53", "type": "redhat", "title": "(RHSA-2021:0395) Important: RHV-H security, bug fix, enhancement update (redhat-virtualization-host) 4.3.13", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2021-3156"], "modified": "2021-02-03T10:26:47", "id": "RHSA-2021:0395", "href": "https://access.redhat.com/errata/RHSA-2021:0395", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n* dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:37:10", "type": "redhat", "title": "(RHSA-2021:0150) Important: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T12:56:01", "id": "RHSA-2021:0150", "href": "https://access.redhat.com/errata/RHSA-2021:0150", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n* dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:36:50", "type": "redhat", "title": "(RHSA-2021:0151) Important: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T13:05:07", "id": "RHSA-2021:0151", "href": "https://access.redhat.com/errata/RHSA-2021:0151", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-12-03T20:41:24", "description": "The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n* dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n* dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:36:51", "type": "redhat", "title": "(RHSA-2021:0152) Important: dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-19T12:56:03", "id": "RHSA-2021:0152", "href": "https://access.redhat.com/errata/RHSA-2021:0152", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-12-03T20:41:19", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* openshift: builder allows read and write of block devices (CVE-2021-20182)\n\n* kubernetes: Compromised node could escalate to cluster level privileges (CVE-2020-8559)\n\n* kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4 (CVE-2020-8564)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.4.33. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/RHSA-2021:0282\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html\n\nThis update fixes the following bugs among others:\n\n* Previously, there were broken connections to the API server that caused nodes to remain in the NotReady state. Detecting a broken network connection could take up to 15 minutes, during which the platform would remain unavailable. This is now fixed by setting the TCP_USER_TIMEOUT socket option, which controls how long transmitted data can be unacknowledged before the connection is forcefully closed. (BZ#1907939)\n\n* Previously, the quota controllers only worked on resources retrieved from the discovery endpoint, which might contain only a fraction of all resources due to a network error. This is now fixed by having the quota controllers periodically resync when new resources are observed from the discovery endpoint. (BZ#1910096)\n\n* Previously, the kuryr-controller was comparing security groups related to\nnetwork policies incorrectly. This caused security rules related to a\nnetwork policy to be recreated on every minor update of that network\npolicy. This bug has been fixed, allowing network policy updates that\nalready have existing rules to be preserved; network policy additions or\ndeletions are performed, if needed. (BZ#1910221)\n\nYou may download the oc tool and use it to inspect release image metadata as follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.33-x86_64\n\nThe image digest is sha256:a035dddd8a5e5c99484138951ef4aba021799b77eb9046f683a5466c23717738\n\n(For s390x architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.33-s390x\n\nThe image digest is sha256:ecc1e5aaf8496dd60a7703562fd6c65541172a56ae9008fce6db5d55e43371dc\n\n(For ppc64le architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.33-ppc64le\n\nThe image digest is sha256:567bf8031c80b08e3e56a57e1c8e5b0b01a2f922e01b36ee333f6ab5bff95495\n\nAll OpenShift Container Platform 4.4 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available\nat https://docs.openshift.com/container-platform/4.4/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T10:03:50", "type": "redhat", "title": "(RHSA-2021:0281) Important: OpenShift Container Platform 4.4.33 bug fix and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14382", "CVE-2020-2304", "CVE-2020-2305", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-25694", "CVE-2020-25696", "CVE-2020-8559", "CVE-2020-8564", "CVE-2021-20182"], "modified": "2021-02-03T10:05:11", "id": "RHSA-2021:0281", "href": "https://access.redhat.com/errata/RHSA-2021:0281", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-12-03T20:41:19", "description": "OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains the following OpenShift Virtualization 2.6.0 images:\n\nRHEL-8-CNV-2.6\n==============\nkubevirt-cpu-node-labeller-container-v2.6.0-5\nkubevirt-cpu-model-nfd-plugin-container-v2.6.0-5\nnode-maintenance-operator-container-v2.6.0-13\nkubevirt-vmware-container-v2.6.0-5\nvirtio-win-container-v2.6.0-5\nkubevirt-kvm-info-nfd-plugin-container-v2.6.0-5\nbridge-marker-container-v2.6.0-9\nkubevirt-template-validator-container-v2.6.0-9\nkubevirt-v2v-conversion-container-v2.6.0-6\nkubemacpool-container-v2.6.0-13\nkubevirt-ssp-operator-container-v2.6.0-40\nhyperconverged-cluster-webhook-container-v2.6.0-73\nhyperconverged-cluster-operator-container-v2.6.0-73\novs-cni-plugin-container-v2.6.0-10\ncnv-containernetworking-plugins-container-v2.6.0-10\novs-cni-marker-container-v2.6.0-10\ncluster-network-addons-operator-container-v2.6.0-16\nhostpath-provisioner-container-v2.6.0-11\nhostpath-provisioner-operator-container-v2.6.0-14\nvm-import-virtv2v-container-v2.6.0-21\nkubernetes-nmstate-handler-container-v2.6.0-19\nvm-import-controller-container-v2.6.0-21\nvm-import-operator-container-v2.6.0-21\nvirt-api-container-v2.6.0-111\nvirt-controller-container-v2.6.0-111\nvirt-handler-container-v2.6.0-111\nvirt-operator-container-v2.6.0-111\nvirt-launcher-container-v2.6.0-111\ncnv-must-gather-container-v2.6.0-54\nvirt-cdi-importer-container-v2.6.0-24\nvirt-cdi-cloner-container-v2.6.0-24\nvirt-cdi-controller-container-v2.6.0-24\nvirt-cdi-uploadserver-container-v2.6.0-24\nvirt-cdi-apiserver-container-v2.6.0-24\nvirt-cdi-uploadproxy-container-v2.6.0-24\nvirt-cdi-operator-container-v2.6.0-24\nhco-bundle-registry-container-v2.6.0-582\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\n* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)\n\n* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)\n\n* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)\n\n* golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)\n\n* golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)\n\n* containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T08:47:39", "type": "redhat", "title": "(RHSA-2021:0799) Moderate: OpenShift Virtualization 2.6.0 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10103", "CVE-2018-10105", "CVE-2018-14461", "CVE-2018-14462", "CVE-2018-14463", "CVE-2018-14464", "CVE-2018-14465", "CVE-2018-14466", "CVE-2018-14467", "CVE-2018-14468", "CVE-2018-14469", "CVE-2018-14470", "CVE-2018-14879", "CVE-2018-14880", "CVE-2018-14881", "CVE-2018-14882", "CVE-2018-16227", "CVE-2018-16228", "CVE-2018-16229", "CVE-2018-16230", "CVE-2018-16300", "CVE-2018-16451", "CVE-2018-16452", "CVE-2018-20843", "CVE-2019-11068", "CVE-2019-13050", "CVE-2019-13627", "CVE-2019-14559", "CVE-2019-14889", "CVE-2019-15165", "CVE-2019-15166", "CVE-2019-15903", "CVE-2019-16168", "CVE-2019-16935", "CVE-2019-17450", "CVE-2019-18197", "CVE-2019-19221", "CVE-2019-19906", "CVE-2019-19956", "CVE-2019-20218", "CVE-2019-20387", "CVE-2019-20388", "CVE-2019-20454", "CVE-2019-20807", "CVE-2019-20907", "CVE-2019-20916", "CVE-2019-5018", "CVE-2019-8625", "CVE-2019-8710", "CVE-2019-8720", "CVE-2019-8743", "CVE-2019-8764", "CVE-2019-8766", "CVE-2019-8769", "CVE-2019-8771", "CVE-2019-8782", "CVE-2019-8783", "CVE-2019-8808", "CVE-2019-8811", "CVE-2019-8812", "CVE-2019-8813", "CVE-2019-8814", "CVE-2019-8815", "CVE-2019-8816", "CVE-2019-8819", "CVE-2019-8820", "CVE-2019-8823", "CVE-2019-8835", "CVE-2019-8844", "CVE-2019-8846", "CVE-2020-10018", "CVE-2020-10029", "CVE-2020-11793", "CVE-2020-12321", "CVE-2020-12400", "CVE-2020-12403", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-14040", "CVE-2020-14351", "CVE-2020-14382", "CVE-2020-14391", "CVE-2020-14422", "CVE-2020-15503", "CVE-2020-15586", "CVE-2020-15999", "CVE-2020-16845", "CVE-2020-1730", "CVE-2020-1751", "CVE-2020-1752", "CVE-2020-1971", "CVE-2020-24659", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-25705", "CVE-2020-26160", "CVE-2020-27813", "CVE-2020-28362", "CVE-2020-29652", "CVE-2020-29661", "CVE-2020-3862", "CVE-2020-3864", "CVE-2020-3865", "CVE-2020-3867", "CVE-2020-3868", "CVE-2020-3885", "CVE-2020-3894", "CVE-2020-3895", "CVE-2020-3897", "CVE-2020-3899", "CVE-2020-3900", "CVE-2020-3901", "CVE-2020-3902", "CVE-2020-6405", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8492", "CVE-2020-8619", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-9283", "CVE-2020-9327", "CVE-2020-9802", "CVE-2020-9803", "CVE-2020-9805", "CVE-2020-9806", "CVE-2020-9807", "CVE-2020-9843", "CVE-2020-9850", "CVE-2020-9862", "CVE-2020-9893", "CVE-2020-9894", "CVE-2020-9895", "CVE-2020-9915", "CVE-2020-9925", "CVE-2021-20206", "CVE-2021-3121", "CVE-2021-3156"], "modified": "2021-03-10T08:48:38", "id": "RHSA-2021:0799", "href": "https://access.redhat.com/errata/RHSA-2021:0799", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T20:41:19", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.7.0. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/RHSA-2020:5634\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nYou may download the oc tool and use it to inspect release image metadata as follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-x86_64\n\nThe image digest is sha256:d74b1cfa81f8c9cc23336aee72d8ae9c9905e62c4874b071317a078c316f8a70\n\n(For s390x architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-s390x\n\nThe image digest is sha256:a68ca03d87496ddfea0ac26b82af77231583a58a7836b95de85efe5e390ad45d\n\n(For ppc64le architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-ppc64le\n\nThe image digest is sha256:bc7b04e038c8ff3a33b827f4ee19aa79b26e14c359a7dcc1ced9f3b58e5f1ac6\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.\n\nSecurity Fix(es):\n\n* crewjam/saml: authentication bypass in saml authentication (CVE-2020-27846)\n\n* golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)\n\n* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)\n\n* kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider (CVE-2020-8563)\n\n* containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)\n\n* heketi: gluster-block volume password details available in logs (CVE-2020-10763)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\n* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)\n\n* golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)\n\n* golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T14:49:26", "type": "redhat", "title": "(RHSA-2020:5633) Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10103", "CVE-2018-10105", "CVE-2018-14461", "CVE-2018-14462", "CVE-2018-14463", "CVE-2018-14464", "CVE-2018-14465", "CVE-2018-14466", "CVE-2018-14467", "CVE-2018-14468", "CVE-2018-14469", "CVE-2018-14470", "CVE-2018-14553", "CVE-2018-14879", "CVE-2018-14880", "CVE-2018-14881", "CVE-2018-14882", "CVE-2018-16227", "CVE-2018-16228", "CVE-2018-16229", "CVE-2018-16230", "CVE-2018-16300", "CVE-2018-16451", "CVE-2018-16452", "CVE-2018-20843", "CVE-2019-11068", "CVE-2019-12614", "CVE-2019-13050", "CVE-2019-13225", "CVE-2019-13627", "CVE-2019-14889", "CVE-2019-15165", "CVE-2019-15166", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-15925", "CVE-2019-16167", "CVE-2019-16168", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-17450", "CVE-2019-17546", "CVE-2019-18197", "CVE-2019-18808", "CVE-2019-18809", "CVE-2019-19046", "CVE-2019-19056", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19068", "CVE-2019-19072", "CVE-2019-19221", "CVE-2019-19319", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19524", "CVE-2019-19533", "CVE-2019-19537", "CVE-2019-19543", "CVE-2019-19602", "CVE-2019-19767", "CVE-2019-19770", "CVE-2019-19906", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20218", "CVE-2019-20386", "CVE-2019-20387", "CVE-2019-20388", "CVE-2019-20454", "CVE-2019-20636", "CVE-2019-20807", "CVE-2019-20812", "CVE-2019-20907", "CVE-2019-20916", "CVE-2019-3884", "CVE-2019-5018", "CVE-2019-6977", "CVE-2019-6978", "CVE-2019-8625", "CVE-2019-8710", "CVE-2019-8720", "CVE-2019-8743", "CVE-2019-8764", "CVE-2019-8766", "CVE-2019-8769", "CVE-2019-8771", "CVE-2019-8782", "CVE-2019-8783", "CVE-2019-8808", "CVE-2019-8811", "CVE-2019-8812", "CVE-2019-8813", "CVE-2019-8814", "CVE-2019-8815", "CVE-2019-8816", "CVE-2019-8819", "CVE-2019-8820", "CVE-2019-8823", "CVE-2019-8835", "CVE-2019-8844", "CVE-2019-8846", "CVE-2019-9455", "CVE-2019-9458", "CVE-2020-0305", "CVE-2020-0444", "CVE-2020-10018", "CVE-2020-10029", "CVE-2020-10732", "CVE-2020-10749", "CVE-2020-10751", "CVE-2020-10763", "CVE-2020-10773", "CVE-2020-10774", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-11668", "CVE-2020-11793", "CVE-2020-12465", "CVE-2020-12655", "CVE-2020-12659", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13249", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-14019", "CVE-2020-14040", "CVE-2020-14381", "CVE-2020-14382", "CVE-2020-14391", "CVE-2020-14422", "CVE-2020-15157", "CVE-2020-15503", "CVE-2020-15862", "CVE-2020-15999", "CVE-2020-16166", "CVE-2020-1716", "CVE-2020-1730", "CVE-2020-1751", "CVE-2020-1752", "CVE-2020-1971", "CVE-2020-24490", "CVE-2020-24659", "CVE-2020-25211", "CVE-2020-25641", "CVE-2020-25658", "CVE-2020-25661", "CVE-2020-25662", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687", "CVE-2020-25694", "CVE-2020-25696", "CVE-2020-2574", "CVE-2020-26160", "CVE-2020-2752", "CVE-2020-27813", "CVE-2020-27846", "CVE-2020-28362", "CVE-2020-2922", "CVE-2020-29652", "CVE-2020-3862", "CVE-2020-3864", "CVE-2020-3865", "CVE-2020-3867", "CVE-2020-3868", "CVE-2020-3885", "CVE-2020-3894", "CVE-2020-3895", "CVE-2020-3897", "CVE-2020-3898", "CVE-2020-3899", "CVE-2020-3900", "CVE-2020-3901", "CVE-2020-3902", "CVE-2020-6405", "CVE-2020-7595", "CVE-2020-7774", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8563", "CVE-2020-8566", "CVE-2020-8619", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8647", "CVE-2020-8648", "CVE-2020-8649", "CVE-2020-9327", "CVE-2020-9802", "CVE-2020-9803", "CVE-2020-9805", "CVE-2020-9806", "CVE-2020-9807", "CVE-2020-9843", "CVE-2020-9850", "CVE-2020-9862", "CVE-2020-9893", "CVE-2020-9894", "CVE-2020-9895", "CVE-2020-9915", "CVE-2020-9925", "CVE-2021-2007", "CVE-2021-26539", "CVE-2021-3121"], "modified": "2021-03-02T01:56:45", "id": "RHSA-2020:5633", "href": "https://access.redhat.com/errata/RHSA-2020:5633", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:23:09", "description": "The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0153 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "CentOS 7 : dnsmasq (CESA-2021:0153)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:centos:centos:dnsmasq", "p-cpe:/a:centos:centos:dnsmasq-utils", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2021-0153.NASL", "href": "https://www.tenable.com/plugins/nessus/145439", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0153 and\n# CentOS Errata and Security Advisory 2021:0153 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145439);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"2021:0153\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"CentOS 7 : dnsmasq (CESA-2021:0153)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2021:0153 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-announce/2021-January/048251.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?09cecf18\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/358.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.76-16.el7_9.1', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'dnsmasq-utils-2.76-16.el7_9.1', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:47", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0240 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "RHEL 7 : dnsmasq (RHSA-2021:0240)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.2", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0240.NASL", "href": "https://www.tenable.com/plugins/nessus/145403", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0240. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145403);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"2021:0240\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 7 : dnsmasq (RHSA-2021:0240)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0240 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0240\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.2')) audit(AUDIT_OS_NOT, 'Red Hat 7.2', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel/server/7/7.2/x86_64/debug',\n 'content/aus/rhel/server/7/7.2/x86_64/optional/debug',\n 'content/aus/rhel/server/7/7.2/x86_64/optional/os',\n 'content/aus/rhel/server/7/7.2/x86_64/optional/source/SRPMS',\n 'content/aus/rhel/server/7/7.2/x86_64/os',\n 'content/aus/rhel/server/7/7.2/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.66-14.el7_2.3', 'sp':'2', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.66-14.el7_2.3', 'sp':'2', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support repository.\\n' +\n 'Access to this repository requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:08", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0245 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "RHEL 7 : dnsmasq (RHSA-2021:0245)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.3", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0245.NASL", "href": "https://www.tenable.com/plugins/nessus/145404", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0245. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145404);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"2021:0245\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 7 : dnsmasq (RHSA-2021:0245)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0245 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0245\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.3')) audit(AUDIT_OS_NOT, 'Red Hat 7.3', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel/server/7/7.3/x86_64/debug',\n 'content/aus/rhel/server/7/7.3/x86_64/optional/debug',\n 'content/aus/rhel/server/7/7.3/x86_64/optional/os',\n 'content/aus/rhel/server/7/7.3/x86_64/optional/source/SRPMS',\n 'content/aus/rhel/server/7/7.3/x86_64/os',\n 'content/aus/rhel/server/7/7.3/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.66-21.el7_3.3', 'sp':'3', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.66-21.el7_3.3', 'sp':'3', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support repository.\\n' +\n 'Access to this repository requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:00:06", "description": "The version of dnsmasq installed on the remote host is prior to 2.76-16. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1587 advisory.\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : dnsmasq (ALAS-2021-1587)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:dnsmasq", "p-cpe:/a:amazon:linux:dnsmasq-debuginfo", "p-cpe:/a:amazon:linux:dnsmasq-utils", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2021-1587.NASL", "href": "https://www.tenable.com/plugins/nessus/145454", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1587.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145454);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"ALAS\", value:\"2021-1587\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Amazon Linux 2 : dnsmasq (ALAS-2021-1587)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of dnsmasq installed on the remote host is prior to 2.76-16. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2-2021-1587 advisory.\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2021-1587.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update dnsmasq' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'dnsmasq-2.76-16.amzn2.1.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'dnsmasq-2.76-16.amzn2.1.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'dnsmasq-2.76-16.amzn2.1.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'dnsmasq-debuginfo-2.76-16.amzn2.1.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'dnsmasq-debuginfo-2.76-16.amzn2.1.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'dnsmasq-debuginfo-2.76-16.amzn2.1.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'dnsmasq-utils-2.76-16.amzn2.1.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'dnsmasq-utils-2.76-16.amzn2.1.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'dnsmasq-utils-2.76-16.amzn2.1.1', 'cpu':'x86_64', 'release':'AL2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-debuginfo / dnsmasq-utils\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:10:31", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0153 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 7 : dnsmasq (RHSA-2021:0153)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0153.NASL", "href": "https://www.tenable.com/plugins/nessus/145087", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0153. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145087);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"2021:0153\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 7 : dnsmasq (RHSA-2021:0153)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0153 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0153\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/os',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/7/7Client/x86_64/os',\n 'content/dist/rhel/client/7/7Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/os',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/os',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/os',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/os',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/7/7Server/x86_64/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/os',\n 'content/fastrack/rhel/client/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/os',\n 'content/fastrack/rhel/client/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/os',\n 'content/fastrack/rhel/computenode/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/os',\n 'content/fastrack/rhel/power/7/ppc64/optional/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/os',\n 'content/fastrack/rhel/power/7/ppc64/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/optional/debug',\n 'content/fastrack/rhel/server/7/x86_64/optional/os',\n 'content/fastrack/rhel/server/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/os',\n 'content/fastrack/rhel/system-z/7/s390x/optional/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/os',\n 'content/fastrack/rhel/system-z/7/s390x/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/os',\n 'content/fastrack/rhel/workstation/7/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.76-16.el7_9.1', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-16.el7_9.1', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-16.el7_9.1', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-16.el7_9.1', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-16.el7_9.1', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-16.el7_9.1', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-16.el7_9.1', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-16.el7_9.1', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:12:35", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0155 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 7 : dnsmasq (RHSA-2021:0155)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.6", "cpe:/o:redhat:rhel_e4s:7.6", "cpe:/o:redhat:rhel_eus:7.6", "cpe:/o:redhat:rhel_tus:7.6", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0155.NASL", "href": "https://www.tenable.com/plugins/nessus/145085", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0155. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145085);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"2021:0155\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 7 : dnsmasq (RHSA-2021:0155)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0155 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0155\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.6')) audit(AUDIT_OS_NOT, 'Red Hat 7.6', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel/server/7/7.6/x86_64/debug',\n 'content/aus/rhel/server/7/7.6/x86_64/optional/debug',\n 'content/aus/rhel/server/7/7.6/x86_64/optional/os',\n 'content/aus/rhel/server/7/7.6/x86_64/optional/source/SRPMS',\n 'content/aus/rhel/server/7/7.6/x86_64/os',\n 'content/aus/rhel/server/7/7.6/x86_64/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/debug',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/highavailability/os',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/optional/debug',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/optional/os',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/optional/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/os',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/sap-hana/debug',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/sap-hana/os',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/sap-hana/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/sap/debug',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/sap/os',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.6/ppc64le/source/SRPMS',\n 'content/e4s/rhel/server/7/7.6/x86_64/debug',\n 'content/e4s/rhel/server/7/7.6/x86_64/highavailability/debug',\n 'content/e4s/rhel/server/7/7.6/x86_64/highavailability/os',\n 'content/e4s/rhel/server/7/7.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel/server/7/7.6/x86_64/optional/debug',\n 'content/e4s/rhel/server/7/7.6/x86_64/optional/os',\n 'content/e4s/rhel/server/7/7.6/x86_64/optional/source/SRPMS',\n 'content/e4s/rhel/server/7/7.6/x86_64/os',\n 'content/e4s/rhel/server/7/7.6/x86_64/sap-hana/debug',\n 'content/e4s/rhel/server/7/7.6/x86_64/sap-hana/os',\n 'content/e4s/rhel/server/7/7.6/x86_64/sap-hana/source/SRPMS',\n 'content/e4s/rhel/server/7/7.6/x86_64/sap/debug',\n 'content/e4s/rhel/server/7/7.6/x86_64/sap/os',\n 'content/e4s/rhel/server/7/7.6/x86_64/sap/source/SRPMS',\n 'content/e4s/rhel/server/7/7.6/x86_64/source/SRPMS',\n 'content/eus/rhel/computenode/7/7.6/x86_64/debug',\n 'content/eus/rhel/computenode/7/7.6/x86_64/optional/debug',\n 'content/eus/rhel/computenode/7/7.6/x86_64/optional/os',\n 'content/eus/rhel/computenode/7/7.6/x86_64/optional/source/SRPMS',\n 'content/eus/rhel/computenode/7/7.6/x86_64/os',\n 'content/eus/rhel/computenode/7/7.6/x86_64/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/debug',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/highavailability/debug',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/highavailability/os',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/optional/debug',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/optional/os',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/optional/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/os',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/sap-hana/debug',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/sap-hana/os',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/sap-hana/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/sap/debug',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/sap/os',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.6/ppc64le/source/SRPMS',\n 'content/eus/rhel/power/7/7.6/ppc64/debug',\n 'content/eus/rhel/power/7/7.6/ppc64/optional/debug',\n 'content/eus/rhel/power/7/7.6/ppc64/optional/os',\n 'content/eus/rhel/power/7/7.6/ppc64/optional/source/SRPMS',\n 'content/eus/rhel/power/7/7.6/ppc64/os',\n 'content/eus/rhel/power/7/7.6/ppc64/sap/debug',\n 'content/eus/rhel/power/7/7.6/ppc64/sap/os',\n 'content/eus/rhel/power/7/7.6/ppc64/sap/source/SRPMS',\n 'content/eus/rhel/power/7/7.6/ppc64/source/SRPMS',\n 'content/eus/rhel/server/7/7.6/x86_64/debug',\n 'content/eus/rhel/server/7/7.6/x86_64/highavailability/debug',\n 'content/eus/rhel/server/7/7.6/x86_64/highavailability/os',\n 'content/eus/rhel/server/7/7.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel/server/7/7.6/x86_64/optional/debug',\n 'content/eus/rhel/server/7/7.6/x86_64/optional/os',\n 'content/eus/rhel/server/7/7.6/x86_64/optional/source/SRPMS',\n 'content/eus/rhel/server/7/7.6/x86_64/os',\n 'content/eus/rhel/server/7/7.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel/server/7/7.6/x86_64/resilientstorage/os',\n 'content/eus/rhel/server/7/7.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel/server/7/7.6/x86_64/sap-hana/debug',\n 'content/eus/rhel/server/7/7.6/x86_64/sap-hana/os',\n 'content/eus/rhel/server/7/7.6/x86_64/sap-hana/source/SRPMS',\n 'content/eus/rhel/server/7/7.6/x86_64/sap/debug',\n 'content/eus/rhel/server/7/7.6/x86_64/sap/os',\n 'content/eus/rhel/server/7/7.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel/server/7/7.6/x86_64/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.6/s390x/debug',\n 'content/eus/rhel/system-z/7/7.6/s390x/optional/debug',\n 'content/eus/rhel/system-z/7/7.6/s390x/optional/os',\n 'content/eus/rhel/system-z/7/7.6/s390x/optional/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.6/s390x/os',\n 'content/eus/rhel/system-z/7/7.6/s390x/sap/debug',\n 'content/eus/rhel/system-z/7/7.6/s390x/sap/os',\n 'content/eus/rhel/system-z/7/7.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.6/s390x/source/SRPMS',\n 'content/tus/rhel/server/7/7.6/x86_64/debug',\n 'content/tus/rhel/server/7/7.6/x86_64/highavailability/debug',\n 'content/tus/rhel/server/7/7.6/x86_64/highavailability/os',\n 'content/tus/rhel/server/7/7.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel/server/7/7.6/x86_64/optional/debug',\n 'content/tus/rhel/server/7/7.6/x86_64/optional/os',\n 'content/tus/rhel/server/7/7.6/x86_64/optional/source/SRPMS',\n 'content/tus/rhel/server/7/7.6/x86_64/os',\n 'content/tus/rhel/server/7/7.6/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.76-7.el7_6.2', 'sp':'6', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-7.el7_6.2', 'sp':'6', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-7.el7_6.2', 'sp':'6', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-7.el7_6.2', 'sp':'6', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-7.el7_6.2', 'sp':'6', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-7.el7_6.2', 'sp':'6', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-7.el7_6.2', 'sp':'6', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-7.el7_6.2', 'sp':'6', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:24", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0156 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 7 : dnsmasq (RHSA-2021:0156)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.4", "cpe:/o:redhat:rhel_e4s:7.4", "cpe:/o:redhat:rhel_tus:7.4", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0156.NASL", "href": "https://www.tenable.com/plugins/nessus/145083", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0156. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145083);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"2021:0156\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 7 : dnsmasq (RHSA-2021:0156)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0156 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0156\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.4')) audit(AUDIT_OS_NOT, 'Red Hat 7.4', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel/server/7/7.4/x86_64/debug',\n 'content/aus/rhel/server/7/7.4/x86_64/optional/debug',\n 'content/aus/rhel/server/7/7.4/x86_64/optional/os',\n 'content/aus/rhel/server/7/7.4/x86_64/optional/source/SRPMS',\n 'content/aus/rhel/server/7/7.4/x86_64/os',\n 'content/aus/rhel/server/7/7.4/x86_64/source/SRPMS',\n 'content/e4s/rhel/server/7/7.4/x86_64/debug',\n 'content/e4s/rhel/server/7/7.4/x86_64/highavailability/debug',\n 'content/e4s/rhel/server/7/7.4/x86_64/highavailability/os',\n 'content/e4s/rhel/server/7/7.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel/server/7/7.4/x86_64/optional/debug',\n 'content/e4s/rhel/server/7/7.4/x86_64/optional/os',\n 'content/e4s/rhel/server/7/7.4/x86_64/optional/source/SRPMS',\n 'content/e4s/rhel/server/7/7.4/x86_64/os',\n 'content/e4s/rhel/server/7/7.4/x86_64/sap-hana/debug',\n 'content/e4s/rhel/server/7/7.4/x86_64/sap-hana/os',\n 'content/e4s/rhel/server/7/7.4/x86_64/sap-hana/source/SRPMS',\n 'content/e4s/rhel/server/7/7.4/x86_64/sap/debug',\n 'content/e4s/rhel/server/7/7.4/x86_64/sap/os',\n 'content/e4s/rhel/server/7/7.4/x86_64/sap/source/SRPMS',\n 'content/e4s/rhel/server/7/7.4/x86_64/source/SRPMS',\n 'content/tus/rhel/server/7/7.4/x86_64/debug',\n 'content/tus/rhel/server/7/7.4/x86_64/optional/debug',\n 'content/tus/rhel/server/7/7.4/x86_64/optional/os',\n 'content/tus/rhel/server/7/7.4/x86_64/optional/source/SRPMS',\n 'content/tus/rhel/server/7/7.4/x86_64/os',\n 'content/tus/rhel/server/7/7.4/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.76-2.el7_4.3', 'sp':'4', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-2.el7_4.3', 'sp':'4', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:30", "description": "The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2021:0153-1 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : dnsmasq on SL7.x x86_64 (2021:0153)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:dnsmasq", "p-cpe:/a:fermilab:scientific_linux:dnsmasq-debuginfo", "p-cpe:/a:fermilab:scientific_linux:dnsmasq-utils"], "id": "SL_20210119_DNSMASQ_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/145438", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145438);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"RHSA-2021:0153\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Scientific Linux Security Update : dnsmasq on SL7.x x86_64 (2021:0153)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Scientific Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SLSA-2021:0153-1 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.scientificlinux.org/category/sl-errata/slsa-20210153-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq, dnsmasq-debuginfo and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fermilab:scientific_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Scientific Linux' >!< release) audit(AUDIT_OS_NOT, 'Scientific Linux');\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Scientific Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Scientific Linux 7.x', 'Scientific Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Scientific Linux', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.76-16.el7_9.1', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'dnsmasq-debuginfo-2.76-16.el7_9.1', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'dnsmasq-utils-2.76-16.el7_9.1', 'cpu':'x86_64', 'release':'SL7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-debuginfo / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:54", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-07-06T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.2.2 : dnsmasq (EulerOS-SA-2021-2134)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:uvp:3.0.2.2"], "id": "EULEROS_SA-2021-2134.NASL", "href": "https://www.tenable.com/plugins/nessus/151408", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151408);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 3.0.2.2 : dnsmasq (EulerOS-SA-2021-2134)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2134\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52557cee\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.2\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.2\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7.eulerosv2r7\",\n \"dnsmasq-utils-2.76-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:11:10", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0154 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 7 : dnsmasq (RHSA-2021:0154)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.7", "cpe:/o:redhat:rhel_e4s:7.7", "cpe:/o:redhat:rhel_eus:7.7", "cpe:/o:redhat:rhel_tus:7.7", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0154.NASL", "href": "https://www.tenable.com/plugins/nessus/145079", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0154. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145079);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"RHSA\", value:\"2021:0154\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 7 : dnsmasq (RHSA-2021:0154)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0154 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.7')) audit(AUDIT_OS_NOT, 'Red Hat 7.7', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel/server/7/7.7/x86_64/debug',\n 'content/aus/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/aus/rhel/server/7/7.7/x86_64/optional/os',\n 'content/aus/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/aus/rhel/server/7/7.7/x86_64/os',\n 'content/aus/rhel/server/7/7.7/x86_64/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/highavailability/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/highavailability/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/optional/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/optional/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/optional/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap-hana/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap-hana/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap-hana/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/highavailability/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/highavailability/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/optional/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap-hana/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap-hana/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap-hana/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/source/SRPMS',\n 'content/eus/rhel/computenode/7/7.7/x86_64/debug',\n 'content/eus/rhel/computenode/7/7.7/x86_64/optional/debug',\n 'content/eus/rhel/computenode/7/7.7/x86_64/optional/os',\n 'content/eus/rhel/computenode/7/7.7/x86_64/optional/source/SRPMS',\n 'content/eus/rhel/computenode/7/7.7/x86_64/os',\n 'content/eus/rhel/computenode/7/7.7/x86_64/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/highavailability/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/highavailability/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/optional/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/optional/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/optional/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/resilientstorage/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/resilientstorage/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap-hana/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap-hana/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap-hana/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/source/SRPMS',\n 'content/eus/rhel/power/7/7.7/ppc64/debug',\n 'content/eus/rhel/power/7/7.7/ppc64/optional/debug',\n 'content/eus/rhel/power/7/7.7/ppc64/optional/os',\n 'content/eus/rhel/power/7/7.7/ppc64/optional/source/SRPMS',\n 'content/eus/rhel/power/7/7.7/ppc64/os',\n 'content/eus/rhel/power/7/7.7/ppc64/sap/debug',\n 'content/eus/rhel/power/7/7.7/ppc64/sap/os',\n 'content/eus/rhel/power/7/7.7/ppc64/sap/source/SRPMS',\n 'content/eus/rhel/power/7/7.7/ppc64/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/highavailability/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/highavailability/os',\n 'content/eus/rhel/server/7/7.7/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/optional/os',\n 'content/eus/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/os',\n 'content/eus/rhel/server/7/7.7/x86_64/resilientstorage/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/resilientstorage/os',\n 'content/eus/rhel/server/7/7.7/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/sap-hana/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/sap-hana/os',\n 'content/eus/rhel/server/7/7.7/x86_64/sap-hana/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/sap/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/sap/os',\n 'content/eus/rhel/server/7/7.7/x86_64/sap/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.7/s390x/debug',\n 'content/eus/rhel/system-z/7/7.7/s390x/optional/debug',\n 'content/eus/rhel/system-z/7/7.7/s390x/optional/os',\n 'content/eus/rhel/system-z/7/7.7/s390x/optional/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.7/s390x/os',\n 'content/eus/rhel/system-z/7/7.7/s390x/sap/debug',\n 'content/eus/rhel/system-z/7/7.7/s390x/sap/os',\n 'content/eus/rhel/system-z/7/7.7/s390x/sap/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.7/s390x/source/SRPMS',\n 'content/tus/rhel/server/7/7.7/x86_64/debug',\n 'content/tus/rhel/server/7/7.7/x86_64/highavailability/debug',\n 'content/tus/rhel/server/7/7.7/x86_64/highavailability/os',\n 'content/tus/rhel/server/7/7.7/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/tus/rhel/server/7/7.7/x86_64/optional/os',\n 'content/tus/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/tus/rhel/server/7/7.7/x86_64/os',\n 'content/tus/rhel/server/7/7.7/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.76-10.el7_7.2', 'sp':'7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-10.el7_7.2', 'sp':'7', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-10.el7_7.2', 'sp':'7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.76-10.el7_7.2', 'sp':'7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-10.el7_7.2', 'sp':'7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-10.el7_7.2', 'sp':'7', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-10.el7_7.2', 'sp':'7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.76-10.el7_7.2', 'sp':'7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:13:56", "description": "The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:0395 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-02-03T00:00:00", "type": "nessus", "title": "RHEL 7 : RHV-H security, bug fix, enhancement update (redhat-virtualization-host) 4.3.13 (Important) (RHSA-2021:0395)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2021-3156"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update"], "id": "REDHAT-RHSA-2021-0395.NASL", "href": "https://www.tenable.com/plugins/nessus/146093", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0395. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146093);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2021-3156\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n script_xref(name:\"RHSA\", value:\"2021:0395\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/27\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 7 : RHV-H security, bug fix, enhancement update (redhat-virtualization-host) 4.3.13 (Important) (RHSA-2021:0395)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0395 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3156\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1917684\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected redhat-virtualization-host-image-update package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/os',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/source/SRPMS',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'redhat-virtualization-host-image-update-4.3.13-20210127.0.el7_9', 'release':'7', 'el_string':'el7_9', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'redhat-virtualization-host-image-update');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:13:09", "description": "The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:0401 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-02-03T00:00:00", "type": "nessus", "title": "RHEL 8 : Red Hat Virtualization Host security bug fix and enhancement update [ovirt-4.4.4] (Important) (RHSA-2021:0401)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2021-3156"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update"], "id": "REDHAT-RHSA-2021-0401.NASL", "href": "https://www.tenable.com/plugins/nessus/146094", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0401. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146094);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2021-3156\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n script_xref(name:\"RHSA\", value:\"2021:0401\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/27\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 8 : Red Hat Virtualization Host security bug fix and enhancement update [ovirt-4.4.4] (Important) (RHSA-2021:0401)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0401 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3156\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0401\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1917684\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected redhat-virtualization-host-image-update package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/layered/rhel8/ppc64le/rhv-mgmt-agent/4/debug',\n 'content/dist/layered/rhel8/ppc64le/rhv-mgmt-agent/4/os',\n 'content/dist/layered/rhel8/ppc64le/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/layered/rhel8/ppc64le/rhv-tools/4/debug',\n 'content/dist/layered/rhel8/ppc64le/rhv-tools/4/os',\n 'content/dist/layered/rhel8/ppc64le/rhv-tools/4/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhv-mgmt-agent/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhv-mgmt-agent/4/os',\n 'content/dist/layered/rhel8/x86_64/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhv-tools/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhv-tools/4/os',\n 'content/dist/layered/rhel8/x86_64/rhv-tools/4/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhvh-build/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhvh-build/4/os',\n 'content/dist/layered/rhel8/x86_64/rhvh-build/4/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/rhvh/4/debug',\n 'content/dist/layered/rhel8/x86_64/rhvh/4/os',\n 'content/dist/layered/rhel8/x86_64/rhvh/4/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'redhat-virtualization-host-image-update-4.4.4-20210201.0.el8_3', 'release':'8', 'el_string':'el8_3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'redhat-virtualization-host-image-update');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:43", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has dnsmasq packages installed that are affected by multiple vulnerabilities:\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0183)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14834", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_core:dnsmasq", "p-cpe:/a:zte:cgsl_core:dnsmasq-debuginfo", "p-cpe:/a:zte:cgsl_core:dnsmasq-utils", "p-cpe:/a:zte:cgsl_main:dnsmasq", "p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo", "p-cpe:/a:zte:cgsl_main:dnsmasq-utils", "cpe:/o:zte:cgsl_core:5", "cpe:/o:zte:cgsl_main:5"], "id": "NEWSTART_CGSL_NS-SA-2021-0183_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/154439", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0183. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154439);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-14834\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0194-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0183)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has dnsmasq packages installed that are affected\nby multiple vulnerabilities:\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to\n cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0183\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-14834\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25686\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL dnsmasq packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_core:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:5\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL CORE 5.05': [\n 'dnsmasq-2.76-16.el7_9.1',\n 'dnsmasq-debuginfo-2.76-16.el7_9.1',\n 'dnsmasq-utils-2.76-16.el7_9.1'\n ],\n 'CGSL MAIN 5.05': [\n 'dnsmasq-2.76-16.el7_9.1',\n 'dnsmasq-debuginfo-2.76-16.el7_9.1',\n 'dnsmasq-utils-2.76-16.el7_9.1'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:54", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.(CVE-2017-15107)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-30T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : dnsmasq (EulerOS-SA-2021-1775)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15107", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1775.NASL", "href": "https://www.tenable.com/plugins/nessus/149190", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149190);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2017-15107\", \"CVE-2020-25685\", \"CVE-2020-25686\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP3 : dnsmasq (EulerOS-SA-2021-1775)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A vulnerability was found in the implementation of\n DNSSEC in Dnsmasq up to and including 2.78. Wildcard\n synthesized NSEC records could be improperly\n interpreted to prove the non-existence of hostnames\n that actually exist.(CVE-2017-15107)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1775\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4be2b5e9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-2.2.h4\",\n \"dnsmasq-utils-2.76-2.2.h4\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:15", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has dnsmasq packages installed that are affected by multiple vulnerabilities:\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0098)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14834", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_core:dnsmasq", "p-cpe:/a:zte:cgsl_core:dnsmasq-debuginfo", "p-cpe:/a:zte:cgsl_core:dnsmasq-utils", "p-cpe:/a:zte:cgsl_main:dnsmasq", "p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo", "p-cpe:/a:zte:cgsl_main:dnsmasq-utils", "cpe:/o:zte:cgsl_core:5", "cpe:/o:zte:cgsl_main:5"], "id": "NEWSTART_CGSL_NS-SA-2021-0098_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/154478", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0098. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154478);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-14834\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0194-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0098)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has dnsmasq packages installed that are affected\nby multiple vulnerabilities:\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to\n cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0098\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-14834\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25686\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL dnsmasq packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_core:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:5\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL CORE 5.04': [\n 'dnsmasq-2.76-16.el7_9.1',\n 'dnsmasq-debuginfo-2.76-16.el7_9.1',\n 'dnsmasq-utils-2.76-16.el7_9.1'\n ],\n 'CGSL MAIN 5.04': [\n 'dnsmasq-2.76-16.el7_9.1',\n 'dnsmasq-debuginfo-2.76-16.el7_9.1',\n 'dnsmasq-utils-2.76-16.el7_9.1'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:55", "description": "The version of AHV installed on the remote host is prior to 20201105.1045. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20201105.1045 advisory.\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20201105.1045)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15862", "CVE-2020-1971", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2021-3156"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:ahv"], "id": "NUTANIX_NXSA-AHV-20201105_1045.NASL", "href": "https://www.tenable.com/plugins/nessus/164555", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164555);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2020-1971\",\n \"CVE-2020-15862\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2021-3156\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/27\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20201105.1045)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AHV host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AHV installed on the remote host is prior to 20201105.1045. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AHV-20201105.1045 advisory.\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB\n provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name\n types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different\n instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both\n GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a\n possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1)\n Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in\n an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp\n authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an\n attacker can control both items being compared then that attacker could trigger a crash. For example if\n the attacker can trick a client or server into checking a malicious certificate against a malicious CRL\n then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a\n certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements\n automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an\n unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of\n EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will\n accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected\n 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which\n allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single\n backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is\n exploitable by any local user who can execute the sudo command without authentication. Successful\n exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AHV-20201105.1045\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7dd4b059\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AHV software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:ahv\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/Node/Version\", \"Host/Nutanix/Data/Node/Type\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info(node:TRUE);\n\nvar constraints = [\n { 'fixed_version' : '20201105.1045', 'product' : 'AHV', 'fixed_display' : 'Upgrade the AHV install to 20201105.1045 or higher.' }\n];\n\nvcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:59", "description": "The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-84440e87ba advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-21T00:00:00", "type": "nessus", "title": "Fedora 33 : dnsmasq (2021-84440e87ba)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "p-cpe:/a:fedoraproject:fedora:dnsmasq"], "id": "FEDORA_2021-84440E87BA.NASL", "href": "https://www.tenable.com/plugins/nessus/145241", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-84440e87ba\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145241);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"FEDORA\", value:\"2021-84440e87ba\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Fedora 33 : dnsmasq (2021-84440e87ba)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-84440e87ba advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-84440e87ba\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 33', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.83-1.fc33', 'release':'FC33', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:18:17", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple vulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0125)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_main:dnsmasq", "p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo", "p-cpe:/a:zte:cgsl_main:dnsmasq-debugsource", "p-cpe:/a:zte:cgsl_main:dnsmasq-utils", "p-cpe:/a:zte:cgsl_main:dnsmasq-utils-debuginfo", "cpe:/o:zte:cgsl_main:6"], "id": "NEWSTART_CGSL_NS-SA-2021-0125_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/154463", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0125. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154463);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0125)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple\nvulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0125\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL dnsmasq packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:dnsmasq-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:6\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL MAIN 6.02': [\n 'dnsmasq-2.79-13.el8_3.1',\n 'dnsmasq-debuginfo-2.79-13.el8_3.1',\n 'dnsmasq-debugsource-2.79-13.el8_3.1',\n 'dnsmasq-utils-2.79-13.el8_3.1',\n 'dnsmasq-utils-debuginfo-2.79-13.el8_3.1'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:01:49", "description": "This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : dnsmasq (openSUSE-2021-129)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:dnsmasq", "p-cpe:/a:novell:opensuse:dnsmasq-debuginfo", "p-cpe:/a:novell:opensuse:dnsmasq-debugsource", "p-cpe:/a:novell:opensuse:dnsmasq-utils", "p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo"], "id": "OPENSUSE-2021-129.NASL", "href": "https://www.tenable.com/plugins/nessus/145295", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-129.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145295);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"openSUSE Security Update : dnsmasq (openSUSE-2021-129)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed\n multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,\n CVE-2020-25687: Fixed multiple potential Heap-based\n overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL\n rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-debuginfo-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-debugsource-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-utils-2.78-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"dnsmasq-utils-debuginfo-2.78-lp151.5.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-debuginfo / dnsmasq-debugsource / dnsmasq-utils / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:01:46", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network,who can create valid DNS replies,could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory,possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function,which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However,in some code execution paths,it is possible extract_name() gets passed an offset from the base buffer,thus reducing,in practice,the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : dnsmasq (EulerOS-SA-2021-1138)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1138.NASL", "href": "https://www.tenable.com/plugins/nessus/145737", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145737);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP8 : dnsmasq (EulerOS-SA-2021-1138)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network,who can create valid DNS replies,could use this\n flaw to cause an overflow with arbitrary data in a\n heap-allocated memory,possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function,which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However,in some code execution paths,it is\n possible extract_name() gets passed an offset from the\n base buffer,thus reducing,in practice,the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1138\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?54ff6184\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.79-7.h5.eulerosv2r8\",\n \"dnsmasq-utils-2.79-7.h5.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:58", "description": "The version of dnsmasq installed on the remote host is prior to 2.83. It is, therefore, affected by multiple vulnerabilities:\n\n - Multiple remote buffer overflows in the DNSSEC implementation. (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687)\n\n - A UDP DNS cache poisoning vulnerability. (CVE-2020-25684)\n\n - Usage of a known weak hashing function. (CVE-2020-25685)\n\n - An issue handling multiple simultaneous DNS queries. (CVE-2020-25686)\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "dnsmasq < 2.83 Multiple Vulnerabilities (DNSPOOQ)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/a:thekelleys:dnsmasq"], "id": "DNSMASQ_2_83.NASL", "href": "https://www.tenable.com/plugins/nessus/145073", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145073);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"dnsmasq < 2.83 Multiple Vulnerabilities (DNSPOOQ)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote DNS / DHCP service is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of dnsmasq installed on the remote host is prior to 2.83. It is, therefore, affected by multiple\nvulnerabilities:\n\n - Multiple remote buffer overflows in the DNSSEC implementation. (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,\n CVE-2020-25687)\n\n - A UDP DNS cache poisoning vulnerability. (CVE-2020-25684)\n\n - Usage of a known weak hashing function. (CVE-2020-25685)\n\n - An issue handling multiple simultaneous DNS queries. (CVE-2020-25686)\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\n number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.jsof-tech.com/disclosures/dnspooq/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to dnsmasq 2.83 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:thekelleys:dnsmasq\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"dns_version.nasl\");\n script_require_keys(\"dns_server/version\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/dns\", 53);\n\n exit(0);\n}\n\ninclude('audit.inc');\n\napp_name = 'dnsmasq';\nport = get_kb_item('Services/udp/dns');\n\nif (!port)\n port = 53;\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\n# dnsmasq replies to BIND.VERSION\nversion = tolower(get_kb_item_or_exit('dns_server/version'));\ndisplay_version = version;\n\nif (version !~ \"dnsmasq-(v)?\")\n audit(AUDIT_NOT_LISTEN, app_name, port);\n\nversion = preg_replace(pattern:\"^dnsmasq-(v)?(.*)$\", replace:\"\\2\", string:version);\n\nif (version == '2')\n audit(AUDIT_VER_NOT_GRANULAR, app_name, port, display_version);\n\nfix = '2.83';\nif (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version, 'udp');\n\nreport = '\\n' +\n '\\n Installed version : ' + display_version +\n '\\n Fixed version : dnsmasq-' + fix +\n '\\n';\n\nsecurity_report_v4(port:port, proto:'udp', severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:02:13", "description": "An update of the dnsmasq package has been released.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Dnsmasq PHSA-2021-1.0-0356", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:dnsmasq", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2021-1_0-0356_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/145420", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-1.0-0356. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145420);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Photon OS 1.0: Dnsmasq PHSA-2021-1.0-0356\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the dnsmasq package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-356.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 1.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-1.0', cpu:'x86_64', reference:'dnsmasq-2.82-1.ph1')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:07:07", "description": "The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-2e4c3d5a9d advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "Fedora 32 : dnsmasq (2021-2e4c3d5a9d)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:dnsmasq"], "id": "FEDORA_2021-2E4C3D5A9D.NASL", "href": "https://www.tenable.com/plugins/nessus/148783", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-2e4c3d5a9d\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148783);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"FEDORA\", value:\"2021-2e4c3d5a9d\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Fedora 32 : dnsmasq (2021-2e4c3d5a9d)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-2e4c3d5a9d advisory.\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-2e4c3d5a9d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 32', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.84-1.fc32', 'release':'FC32', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:03:23", "description": "According to the versions of the dnsmasq package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1244)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:huawei:euleros:2.0", "p-cpe:/a:huawei:euleros:dnsmasq"], "id": "EULEROS_SA-2021-1244.NASL", "href": "https://www.tenable.com/plugins/nessus/146218", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146218);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1244)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1244\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1cc63d9c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h5.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:03:23", "description": "According to the versions of the dnsmasq package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1263)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1263.NASL", "href": "https://www.tenable.com/plugins/nessus/146224", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146224);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP9 : dnsmasq (EulerOS-SA-2021-1263)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1263\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b30dbebc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h5.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-29T14:55:31", "description": "This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-01-20T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : dnsmasq (SUSE-SU-2021:0166-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:dnsmasq", "p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo", "p-cpe:/a:novell:suse_linux:dnsmasq-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-0166-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145175", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0166-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145175);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLES12 Security Update : dnsmasq (SUSE-SU-2021:0166-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\nPoisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\nmultiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode\n(bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210166-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6f7572f6\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-166=1\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-166=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2021-166=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2021-166=1\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2021-166=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-166=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2021-166=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-166=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-166=1\n\nSUSE Enterprise Storage 5 :\n\nzypper in -t patch SUSE-Storage-5-2021-166=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2021-166=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"dnsmasq-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"dnsmasq-debuginfo-2.78-18.15.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"dnsmasq-debugsource-2.78-18.15.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:05:29", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : dnsmasq (EulerOS-SA-2021-1389)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2021-1389.NASL", "href": "https://www.tenable.com/plugins/nessus/147582", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147582);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : dnsmasq (EulerOS-SA-2021-1389)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1389\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0bd5d8af\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7\",\n \"dnsmasq-utils-2.76-5.h7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:15", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 8 : dnsmasq (RHSA-2021:0150)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/145088", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0150. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145088);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0150\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 8 : dnsmasq (RHSA-2021:0150)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0150\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1891568\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-29T14:55:38", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0152 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 8 : dnsmasq (RHSA-2021:0152)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:8.1", "cpe:/o:redhat:rhel_eus:8.1", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0152.NASL", "href": "https://www.tenable.com/plugins/nessus/145082", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0152. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145082);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0152\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 8 : dnsmasq (RHSA-2021:0152)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0152 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0152\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1891568\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel8/8.1/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.1/x86_64/appstream/os',\n 'content/e4s/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.1/x86_64/baseos/os',\n 'content/e4s/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap/os',\n 'content/e4s/rhel8/8.1/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/appstream/debug',\n 'content/eus/rhel8/8.1/aarch64/appstream/os',\n 'content/eus/rhel8/8.1/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/baseos/debug',\n 'content/eus/rhel8/8.1/aarch64/baseos/os',\n 'content/eus/rhel8/8.1/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.1/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.1/aarch64/highavailability/os',\n 'content/eus/rhel8/8.1/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.1/aarch64/supplementary/os',\n 'content/eus/rhel8/8.1/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.1/ppc64le/appstream/os',\n 'content/eus/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.1/ppc64le/baseos/os',\n 'content/eus/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.1/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.1/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/sap/debug',\n 'content/eus/rhel8/8.1/ppc64le/sap/os',\n 'content/eus/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.1/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/appstream/debug',\n 'content/eus/rhel8/8.1/s390x/appstream/os',\n 'content/eus/rhel8/8.1/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/baseos/debug',\n 'content/eus/rhel8/8.1/s390x/baseos/os',\n 'content/eus/rhel8/8.1/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.1/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/highavailability/debug',\n 'content/eus/rhel8/8.1/s390x/highavailability/os',\n 'content/eus/rhel8/8.1/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.1/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/sap/debug',\n 'content/eus/rhel8/8.1/s390x/sap/os',\n 'content/eus/rhel8/8.1/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/s390x/supplementary/debug',\n 'content/eus/rhel8/8.1/s390x/supplementary/os',\n 'content/eus/rhel8/8.1/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/appstream/debug',\n 'content/eus/rhel8/8.1/x86_64/appstream/os',\n 'content/eus/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/baseos/debug',\n 'content/eus/rhel8/8.1/x86_64/baseos/os',\n 'content/eus/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.1/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.1/x86_64/highavailability/os',\n 'content/eus/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.1/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/sap/debug',\n 'content/eus/rhel8/8.1/x86_64/sap/os',\n 'content/eus/rhel8/8.1/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.1/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.1/x86_64/supplementary/os',\n 'content/eus/rhel8/8.1/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-6.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-6.el8_1.1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:58", "description": "An update of the dnsmasq package has been released.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Dnsmasq PHSA-2021-2.0-0312", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:dnsmasq", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2021-2_0-0312_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/145421", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0312. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145421);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Photon OS 2.0: Dnsmasq PHSA-2021-2.0-0312\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the dnsmasq package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-312.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'dnsmasq-2.82-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'dnsmasq-utils-2.82-1.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:03:22", "description": "Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "Debian DSA-4844-1 : dnsmasq - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:dnsmasq", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4844.NASL", "href": "https://www.tenable.com/plugins/nessus/146242", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4844. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146242);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-25681\", \"CVE-2020-25682\", \"CVE-2020-25683\", \"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\", \"CVE-2020-25687\");\n script_xref(name:\"DSA\", value:\"4844\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Debian DSA-4844-1 : dnsmasq - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Moshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/dnsmasq\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/dnsmasq\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4844\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the dnsmasq packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2.80-1+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq\", reference:\"2.80-1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq-base\", reference:\"2.80-1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq-base-lua\", reference:\"2.80-1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"dnsmasq-utils\", reference:\"2.80-1+deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-29T14:55:31", "description": "An update of the dnsmasq package has been released.", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Dnsmasq PHSA-2021-3.0-0186", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:dnsmasq", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2021-3_0-0186_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/145414", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-3.0-0186. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145414);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Photon OS 3.0: Dnsmasq PHSA-2021-3.0-0186\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the dnsmasq package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-186.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'dnsmasq-2.82-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'dnsmasq-utils-2.82-1.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:03:08", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-22T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : dnsmasq (EulerOS-SA-2021-1288)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1288.NASL", "href": "https://www.tenable.com/plugins/nessus/146697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146697);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP2 : dnsmasq (EulerOS-SA-2021-1288)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1288\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d535ebc4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-2.2.h3\",\n \"dnsmasq-utils-2.76-2.2.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:03:23", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-22T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : dnsmasq (EulerOS-SA-2021-1374)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1374.NASL", "href": "https://www.tenable.com/plugins/nessus/146735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146735);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP3 : dnsmasq (EulerOS-SA-2021-1374)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1374\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f777cedc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-2.2.h3\",\n \"dnsmasq-utils-2.76-2.2.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:07:32", "description": "According to the versions of the dnsmasq package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-15T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : dnsmasq (EulerOS-SA-2021-1758)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2021-1758.NASL", "href": "https://www.tenable.com/plugins/nessus/148581", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148581);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : dnsmasq (EulerOS-SA-2021-1758)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1758\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?465f8959\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h6.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:02:12", "description": "This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-01-20T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : dnsmasq (SUSE-SU-2021:0162-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:dnsmasq", "p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo", "p-cpe:/a:novell:suse_linux:dnsmasq-debugsource"], "id": "SUSE_SU-2021-0162-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145199", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0162-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145199);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLES15 Security Update : dnsmasq (SUSE-SU-2021:0162-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\nPoisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\nmultiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode\n(bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210162-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?882d5276\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-162=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2021-162=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-162=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-162=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"dnsmasq-2.78-3.11.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"dnsmasq-debuginfo-2.78-3.11.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"dnsmasq-debugsource-2.78-3.11.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:15", "description": "This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-01-20T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : dnsmasq (SUSE-SU-2021:0163-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:dnsmasq", "p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo", "p-cpe:/a:novell:suse_linux:dnsmasq-debugsource", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-0163-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145108", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0163-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145108);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : dnsmasq (SUSE-SU-2021:0163-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\nbsc#1177077: Fixed DNSpooq vulnerabilities\n\nCVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache\nPoisoning attacks.\n\nCVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed\nmultiple potential Heap-based overflows when DNSSEC is enabled.\n\nRetry query to other servers on receipt of SERVFAIL rcode\n(bsc#1176076)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687/\");\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210163-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0170268\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-163=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2021-163=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1/2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"dnsmasq-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"dnsmasq-debuginfo-2.78-7.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"dnsmasq-debugsource-2.78-7.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:02:12", "description": "The remote host is affected by the vulnerability described in GLSA-202101-17 (Dnsmasq: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Dnsmasq. Please review the references below for details.\n Impact :\n\n An attacker, by sending specially crafted DNS replies, could possibly execute arbitrary code with the privileges of the process, perform a cache poisoning attack or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "GLSA-202101-17 : Dnsmasq: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:dnsmasq", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202101-17.NASL", "href": "https://www.tenable.com/plugins/nessus/145282", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202101-17.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145282);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-25681\", \"CVE-2020-25682\", \"CVE-2020-25683\", \"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\", \"CVE-2020-25687\");\n script_xref(name:\"GLSA\", value:\"202101-17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"GLSA-202101-17 : Dnsmasq: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202101-17\n(Dnsmasq: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Dnsmasq. Please review\n the references below for details.\n \nImpact :\n\n An attacker, by sending specially crafted DNS replies, could possibly\n execute arbitrary code with the privileges of the process, perform a\n cache poisoning attack or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202101-17\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Dnsmasq users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-dns/dnsmasq-2.83'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-dns/dnsmasq\", unaffected:make_list(\"ge 2.83\"), vulnerable:make_list(\"lt 2.83\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:02:59", "description": "New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.", "cvss3": {}, "published": "2021-02-10T00:00:00", "type": "nessus", "title": "Slackware 14.0 / 14.1 / 14.2 / current : dnsmasq (SSA:2021-040-01)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:dnsmasq", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.2"], "id": "SLACKWARE_SSA_2021-040-01.NASL", "href": "https://www.tenable.com/plugins/nessus/146369", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2021-040-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146369);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"SSA\", value:\"2021-040-01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : dnsmasq (SSA:2021-040-01)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Slackware host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2,\nand -current to fix security issues.\");\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.585069\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb3c1958\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Slackware Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"dnsmasq\", pkgver:\"2.84\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:01:47", "description": "Simon Kelley reports :\n\nThere are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc.[...]\n\nthe second set of errors is a good old fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an installation is at risk.", "cvss3": {}, "published": "2021-01-21T00:00:00", "type": "nessus", "title": "FreeBSD : dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities (5b5cf6e5-5b51-11eb-95ac-7f9491278677)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:dnsmasq", "p-cpe:/a:freebsd:freebsd:dnsmasq-devel", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_5B5CF6E55B5111EB95AC7F9491278677.NASL", "href": "https://www.tenable.com/plugins/nessus/145236", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145236);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"FreeBSD : dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities (5b5cf6e5-5b51-11eb-95ac-7f9491278677)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Simon Kelley reports :\n\nThere are broadly two sets of problems. The first is subtle errors in\ndnsmasq's protections against the chronic weakness of the DNS protocol\nto cache-poisoning attacks; the Birthday attack, Kaminsky, etc.[...]\n\nthe second set of errors is a good old fashioned buffer overflow in\ndnsmasq's DNSSEC code. If DNSSEC validation is enabled, an\ninstallation is at risk.\");\n # https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b6f14801\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.jsof-tech.com/disclosures/dnspooq/\");\n # https://vuxml.freebsd.org/freebsd/5b5cf6e5-5b51-11eb-95ac-7f9491278677.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?27a57b8d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:dnsmasq-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"dnsmasq<2.83\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"dnsmasq-devel<2.83\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:15", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-0150 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : dnsmasq (ELSA-2021-0150)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:dnsmasq", "p-cpe:/a:oracle:linux:dnsmasq-utils"], "id": "ORACLELINUX_ELSA-2021-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/145086", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-0150.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145086);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Oracle Linux 8 : dnsmasq (ELSA-2021-0150)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-0150 advisory.\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-0150.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8'},\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8'},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8'},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:06:02", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple vulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0091)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2021-0091_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/147341", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0091. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147341);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : dnsmasq Multiple Vulnerabilities (NS-SA-2021-0091)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has dnsmasq packages installed that are affected by multiple\nvulnerabilities:\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0091\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL dnsmasq packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL MAIN 6.02': [\n 'dnsmasq-2.79-13.el8_3.1',\n 'dnsmasq-debuginfo-2.79-13.el8_3.1',\n 'dnsmasq-debugsource-2.79-13.el8_3.1',\n 'dnsmasq-utils-2.79-13.el8_3.1',\n 'dnsmasq-utils-debuginfo-2.79-13.el8_3.1'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:01:47", "description": "This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : dnsmasq (openSUSE-2021-124)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dnsmasq", "p-cpe:/a:novell:opensuse:dnsmasq-debuginfo", "p-cpe:/a:novell:opensuse:dnsmasq-debugsource", "p-cpe:/a:novell:opensuse:dnsmasq-utils", "p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-124.NASL", "href": "https://www.tenable.com/plugins/nessus/145356", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-124.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145356);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"openSUSE Security Update : dnsmasq (openSUSE-2021-124)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for dnsmasq fixes the following issues :\n\n - bsc#1177077: Fixed DNSpooq vulnerabilities\n\n - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed\n multiple Cache Poisoning attacks.\n\n - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,\n CVE-2020-25687: Fixed multiple potential Heap-based\n overflows when DNSSEC is enabled.\n\n - Retry query to other servers on receipt of SERVFAIL\n rcode (bsc#1176076)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177077\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-debuginfo-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-debugsource-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-utils-2.78-lp152.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"dnsmasq-utils-debuginfo-2.78-lp152.7.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-debuginfo / dnsmasq-debugsource / dnsmasq-utils / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:04:41", "description": "According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-24T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : dnsmasq (EulerOS-SA-2021-1673)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1673.NASL", "href": "https://www.tenable.com/plugins/nessus/148050", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148050);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS 2.0 SP5 : dnsmasq (EulerOS-SA-2021-1673)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data.\n An attacker on the network, who can forge DNS replies\n such as that they are accepted as valid, could use this\n flaw to cause a buffer overflow with arbitrary data in\n a heap memory segment, possibly executing code on the\n machine. The highest threat from this vulnerability is\n to data confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer\n overflow vulnerability was discovered in the way\n dnsmasq extract names from DNS packets before\n validating them with DNSSEC data. An attacker on the\n network, who can create valid DNS replies, could use\n this flaw to cause an overflow with arbitrary data in a\n heap-allocated memory, possibly executing code on the\n machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by\n name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is\n possible extract_name() gets passed an offset from the\n base buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n get_rdata() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in the forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When\n getting a reply from a forwarded query, dnsmasq checks\n in forward.c:reply_query(), which is the forwarded\n query that matches the reply, by only using a weak hash\n of the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When\n receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards\n a new request. By default, a maximum of 150 pending\n queries can be sent to upstream servers, so there can\n be at most 150 queries for the same name. This flaw\n allows an off-path attacker on the network to\n substantially reduce the number of attempts that it\n would have to perform to forge a reply and have it\n accepted by dnsmasq. This issue is mentioned in the\n 'Birthday Attacks' section of RFC5452. If chained with\n CVE-2020-25684, the attack complexity of a successful\n attack is reduced. The highest threat from this\n vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A\n heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the\n received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an\n overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in\n rfc1035.c:extract_name(), which could be abused to make\n the code execute memcpy() with a negative size in\n sort_rrset() and cause a crash in dnsmasq, resulting in\n a denial of service. The highest threat from this\n vulnerability is to system\n availability.(CVE-2020-25687)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1673\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bded9d9e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7.eulerosv2r7\",\n \"dnsmasq-utils-2.76-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:07:33", "description": "According to the versions of the dnsmasq package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-15T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.1 : dnsmasq (EulerOS-SA-2021-1733)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "cpe:/o:huawei:euleros:uvp:2.9.1"], "id": "EULEROS_SA-2021-1733.NASL", "href": "https://www.tenable.com/plugins/nessus/148613", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148613);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 2.9.1 : dnsmasq (EulerOS-SA-2021-1733)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq package installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1733\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6a9a7d34\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.81-1.h6.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:04:08", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.2.6 : dnsmasq (EulerOS-SA-2021-1411)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:uvp:3.0.2.6"], "id": "EULEROS_SA-2021-1411.NASL", "href": "https://www.tenable.com/plugins/nessus/147462", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147462);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 3.0.2.6 : dnsmasq (EulerOS-SA-2021-1411)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1411\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2728ad96\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7.eulerosv2r7\",\n \"dnsmasq-utils-2.76-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:06:02", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.6 : dnsmasq (EulerOS-SA-2021-1469)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils", "cpe:/o:huawei:euleros:uvp:3.0.6.6"], "id": "EULEROS_SA-2021-1469.NASL", "href": "https://www.tenable.com/plugins/nessus/147517", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147517);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization 3.0.6.6 : dnsmasq (EulerOS-SA-2021-1469)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in\n forward.c:reply_query(), which is the forwarded query\n that matches the reply, by only using a weak hash of\n the query name. Due to the weak hash (CRC32 when\n dnsmasq is compiled without DNSSEC, SHA-1 when it is)\n this flaw allows an off-path attacker to find several\n different domains all having the same hash,\n substantially reducing the number of attempts they\n would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452,\n which specifies that the query name is one of the\n attributes of a query that must be used to match a\n reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the\n attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data\n integrity.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1469\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e587e6b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.76-5.h7.eulerosv2r7\",\n \"dnsmasq-utils-2.76-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:02:13", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0151 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "RHEL 8 : dnsmasq (RHSA-2021:0151)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:8.2", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/o:redhat:rhel_tus:8.2", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils"], "id": "REDHAT-RHSA-2021-0151.NASL", "href": "https://www.tenable.com/plugins/nessus/145077", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0151. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145077);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0151\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"RHEL 8 : dnsmasq (RHSA-2021:0151)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0151 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0151\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1882018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1890125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1891568\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(122, 290, 326, 358);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.2')) audit(AUDIT_OS_NOT, 'Red Hat 8.2', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/8.2/s390x/sap/os',\n 'content/eus/rhel8/8.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/supplementary/debug',\n 'content/eus/rhel8/8.2/s390x/supplementary/os',\n 'content/eus/rhel8/8.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/appstream/debug',\n 'content/eus/rhel8/8.2/x86_64/appstream/os',\n 'content/eus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/baseos/debug',\n 'content/eus/rhel8/8.2/x86_64/baseos/os',\n 'content/eus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.2/x86_64/highavailability/os',\n 'content/eus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap/debug',\n 'content/eus/rhel8/8.2/x86_64/sap/os',\n 'content/eus/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.2/x86_64/supplementary/os',\n 'content/eus/rhel8/8.2/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/appstream/debug',\n 'content/tus/rhel8/8.2/x86_64/appstream/os',\n 'content/tus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/baseos/debug',\n 'content/tus/rhel8/8.2/x86_64/baseos/os',\n 'content/tus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.2/x86_64/highavailability/os',\n 'content/tus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/nfv/debug',\n 'content/tus/rhel8/8.2/x86_64/nfv/os',\n 'content/tus/rhel8/8.2/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/rt/debug',\n 'content/tus/rhel8/8.2/x86_64/rt/os',\n 'content/tus/rhel8/8.2/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'dnsmasq-2.79-11.el8_2.2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-11.el8_2.2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:13", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-29T00:00:00", "type": "nessus", "title": "CentOS 8 : dnsmasq (CESA-2021:0150)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:dnsmasq", "p-cpe:/a:centos:centos:dnsmasq-utils"], "id": "CENTOS8_RHSA-2021-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/145698", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2021:0150. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145698);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0150\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"CentOS 8 : dnsmasq (CESA-2021:0150)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2021:0150 advisory.\n\n - dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled (CVE-2020-25681)\n\n - dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled\n (CVE-2020-25682)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled\n (CVE-2020-25683)\n\n - dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25684)\n\n - dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker\n (CVE-2020-25685)\n\n - dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path\n attacker (CVE-2020-25686)\n\n - dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled\n (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0150\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq and / or dnsmasq-utils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dnsmasq-utils-2.79-13.el8_3.1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:11:57", "description": "The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14603-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap- allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : dnsmasq (SUSE-SU-2021:14603-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14834", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:dnsmasq"], "id": "SUSE_SU-2021-14603-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150612", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:14603-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150612);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\n \"CVE-2019-14834\",\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:14603-1\");\n script_xref(name:\"IAVA\", value:\"2020-A-0194-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0041\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"SUSE SLES11 Security Update : dnsmasq (SUSE-SU-2021:14603-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:14603-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to\n cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way\n RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS\n replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with\n arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from\n this vulnerability is to data confidentiality and integrity as well as system availability.\n (CVE-2020-25681)\n\n - A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq\n extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who\n can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-\n allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name()\n function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the\n buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from\n the base buffer, thus reducing, in practice, the number of available bytes that can be written in the\n buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-25682)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create\n valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25683)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in the forward.c:reply_query() if the reply destination address/port is used by the pending\n forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,\n substantially reducing the number of attempts an attacker on the network would have to perform to forge a\n reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's\n attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\n attack is reduced. The highest threat from this vulnerability is to data integrity. (CVE-2020-25684)\n\n - A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq\n checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a\n weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1\n when it is) this flaw allows an off-path attacker to find several different domains all having the same\n hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it\n accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the\n attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache\n Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced.\n The highest threat from this vulnerability is to data integrity. (CVE-2020-25685)\n\n - A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an\n existing pending request for the same name and forwards a new request. By default, a maximum of 150\n pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name.\n This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that\n it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the\n Birthday Attacks section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a\n successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n (CVE-2020-25686)\n\n - A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq\n when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote\n attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is\n caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code\n execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial\n of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25687)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1154849\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177077\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-January/008224.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb2f7f83\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-14834\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25684\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES11', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\npkgs = [\n {'reference':'dnsmasq-2.78-0.17.15', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'dnsmasq-2.78-0.17.15', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n exists_check = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release && exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n else if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:59", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4698-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-19T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Dnsmasq vulnerabilities (USN-4698-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14834", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq-utils", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base-lua"], "id": "UBUNTU_USN-4698-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145078", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4698-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145078);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/16\");\n\n script_cve_id(\n \"CVE-2019-14834\",\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"USN\", value:\"4698-1\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Dnsmasq vulnerabilities (USN-4698-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-4698-1 advisory.\n\n - A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to\n cause a denial of service (memory consumption) via vectors involving DHCP response creation.\n (CVE-2019-14834)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4698-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base-lua\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '16.04', 'pkgname': 'dnsmasq', 'pkgver': '2.75-1ubuntu0.16.04.7'},\n {'osver': '16.04', 'pkgname': 'dnsmasq-base', 'pkgver': '2.75-1ubuntu0.16.04.7'},\n {'osver': '16.04', 'pkgname': 'dnsmasq-utils', 'pkgver': '2.75-1ubuntu0.16.04.7'},\n {'osver': '18.04', 'pkgname': 'dnsmasq', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '18.04', 'pkgname': 'dnsmasq-base', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '18.04', 'pkgname': 'dnsmasq-base-lua', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '18.04', 'pkgname': 'dnsmasq-utils', 'pkgver': '2.79-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq', 'pkgver': '2.80-1.1ubuntu1.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq-base', 'pkgver': '2.80-1.1ubuntu1.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq-base-lua', 'pkgver': '2.80-1.1ubuntu1.2'},\n {'osver': '20.04', 'pkgname': 'dnsmasq-utils', 'pkgver': '2.80-1.1ubuntu1.2'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dnsmasq / dnsmasq-base / dnsmasq-base-lua / dnsmasq-utils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:04:10", "description": "According to the versions of the dnsmasq packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in the default configuration of dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled.\n Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.(CVE-2020-14312)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the 'Birthday Attacks' section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-04T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.6.0 : dnsmasq (EulerOS-SA-2021-1551)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14312", "CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.6.0", "p-cpe:/a:huawei:euleros:dnsmasq", "p-cpe:/a:huawei:euleros:dnsmasq-utils"], "id": "EULEROS_SA-2021-1551.NASL", "href": "https://www.tenable.com/plugins/nessus/147133", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147133);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-14312\",\n \"CVE-2020-25681\",\n \"CVE-2020-25682\",\n \"CVE-2020-25683\",\n \"CVE-2020-25684\",\n \"CVE-2020-25685\",\n \"CVE-2020-25686\",\n \"CVE-2020-25687\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.6.0 : dnsmasq (EulerOS-SA-2021-1551)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dnsmasq packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A flaw was found in the default configuration of\n dnsmasq, as shipped with Fedora and Red Hat Enterprise\n Linux, where it listens on any interface and accepts\n queries from addresses outside of its local subnet. In\n particular, the option `local-service` is not enabled.\n Running dnsmasq in this manner may inadvertently make\n it an open resolver accessible from any address on the\n internet. This flaw allows an attacker to conduct a\n Distributed Denial of Service (DDoS) against other\n systems.(CVE-2020-14312)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. This flaw allows a remote attacker, who can\n create valid DNS replies, to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in sort_rrset() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25687)\n\n - A flaw was found in dnsmasq. When receiving a query,\n dnsmasq does not check for an existing pending request\n for the same name and forwards a new request. By\n default, a maximum of 150 pending queries can be sent\n to upstream servers, so there can be at most 150\n queries for the same name. This flaw allows an off-path\n attacker on the network to substantially reduce the\n number of attempts that it would have to perform to\n forge a reply and have it accepted by dnsmasq. This\n issue is mentioned in the 'Birthday Attacks' section of\n RFC5452. If chained with CVE-2020-25684, the attack\n complexity of a successful attack is reduced. The\n highest threat from this vulnerability is to data\n integrity.(CVE-2020-25686)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25685)\n\n - A flaw was found in dnsmasq. When getting a reply from\n a forwarded query, dnsmasq checks in the\n forward.c:reply_query() if the reply destination\n address/port is used by the pending forwarded queries.\n However, it does not use the address/port to retrieve\n the exact forwarded query, substantially reducing the\n number of attempts an attacker on the network would\n have to perform to forge a reply and get it accepted by\n dnsmasq. This issue contrasts with RFC5452, which\n specifies a query's attributes that all must be used to\n match a reply. This flaw allows an attacker to perform\n a DNS Cache Poisoning attack. If chained with\n CVE-2020-25685 or CVE-2020-25686, the attack complexity\n of a successful attack is reduced. The highest threat\n from this vulnerability is to data\n integrity.(CVE-2020-25684)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in dnsmasq when DNSSEC is\n enabled and before it validates the received DNS\n entries. A remote attacker, who can create valid DNS\n replies, could use this flaw to cause an overflow in a\n heap-allocated memory. This flaw is caused by the lack\n of length checks in rfc1035.c:extract_name(), which\n could be abused to make the code execute memcpy() with\n a negative size in get_rdata() and cause a crash in\n dnsmasq, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-25683)\n\n - A flaw was found in dnsmasq. A buffer overflow\n vulnerability was discovered in the way dnsmasq extract\n names from DNS packets before validating them with\n DNSSEC data. An attacker on the network, who can create\n valid DNS replies, could use this flaw to cause an\n overflow with arbitrary data in a heap-allocated\n memory, possibly executing code on the machine. The\n flaw is in the rfc1035.c:extract_name() function, which\n writes data to the memory pointed by name assuming\n MAXDNAME*2 bytes are available in the buffer. However,\n in some code execution paths, it is possible\n extract_name() gets passed an offset from the base\n buffer, thus reducing, in practice, the number of\n available bytes that can be written in the buffer. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25682)\n\n - A flaw was found in dnsmasq. A heap-based buffer\n overflow was discovered in the way RRSets are sorted\n before validating with DNSSEC data. An attacker on the\n network, who can forge DNS replies such as that they\n are accepted as valid, could use this flaw to cause a\n buffer overflow with arbitrary data in a heap memory\n segment, possibly executing code on the machine. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25681)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1551\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cc647336\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dnsmasq packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"dnsmasq-2.79-7.h5.eulerosv2r8\",\n \"dnsmasq-utils-2.79-7.h5.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:04:09", "description": "Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code.\n\nFor Debian 9 stretch, these problems have been fixed in version 2.76-5+deb9u3.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nFor the detailed security status of dnsmasq please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/dnsmasq\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "nessus", "title": "Debian DLA-2604-1 : dnsmasq security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25687"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:dnsmasq", "p-cpe:/a:debian:debian_linux:dnsmasq-base", "p-cpe:/a:debian:debian_linux:dnsmasq-utils", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2604.NASL", "href": "https://www.tenable.com/plugins/nessus/147960", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2604-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(147960);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-25681\", \"CVE-2020-25682\", \"CVE-2020-25683\", \"CVE-2020-25684\", \"CVE-2020-25687\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0003\");\n\n script_name(english:\"Debian DLA-2604-1 : dnsmasq security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Moshe Kol and Shlomi Oberman of JSOF discovered several\nvulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP\nserver. They could result in denial of service, cache poisoning or the\nexecution of arbitrary code.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.76-5+deb9u3.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nFor the detailed security status of dnsmasq please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/dnsmasq\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/dnsmasq\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/dnsmasq\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"dnsmasq\", reference:\"2.76-5+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"dnsmasq-base\", reference:\"2.76-5+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"dnsmasq-utils\", reference:\"2.76-5+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-12-03T15:43:54", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T16:15:00", "type": "cve", "title": "CVE-2020-25684", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-11-07T03:20:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-25684", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25684", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T15:43:53", "description": "A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the \"Birthday Attacks\" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T17:15:00", "type": "cve", "title": "CVE-2020-25686", "cwe": ["CWE-358"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25686"], "modified": "2023-11-07T03:20:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2020-25686", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25686", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T15:43:52", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T16:15:00", "type": "cve", "title": "CVE-2020-25685", "cwe": ["CWE-326"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685"], "modified": "2023-11-07T03:20:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2020-25685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25685", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}], "centos": [{"lastseen": "2023-12-03T17:00:25", "description": "**CentOS Errata and Security Advisory** CESA-2021:0153\n\n\nThe dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.\n\nSecurity Fix(es):\n\n* dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25684)\n\n* dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker (CVE-2020-25685)\n\n* dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker (CVE-2020-25686)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2021-January/086042.html\n\n**Affected packages:**\ndnsmasq\ndnsmasq-utils\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2021:0153", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-25T14:08:58", "type": "centos", "title": "dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-25T14:08:58", "id": "CESA-2021:0153", "href": "https://lists.centos.org/pipermail/centos-announce/2021-January/086042.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "alpinelinux": [{"lastseen": "2023-12-03T16:03:17", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T16:15:00", "type": "alpinelinux", "title": "CVE-2020-25684", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-11-07T03:20:00", "id": "ALPINE:CVE-2020-25684", "href": "https://security.alpinelinux.org/vuln/CVE-2020-25684", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T16:03:17", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T16:15:00", "type": "alpinelinux", "title": "CVE-2020-25685", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685"], "modified": "2023-11-07T03:20:00", "id": "ALPINE:CVE-2020-25685", "href": "https://security.alpinelinux.org/vuln/CVE-2020-25685", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T16:03:17", "description": "A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the \"Birthday Attacks\" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T17:15:00", "type": "alpinelinux", "title": "CVE-2020-25686", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25686"], "modified": "2023-11-07T03:20:00", "id": "ALPINE:CVE-2020-25686", "href": "https://security.alpinelinux.org/vuln/CVE-2020-25686", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-12-03T13:57:29", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from\na forwarded query, dnsmasq checks in the forward.c:reply_query() if the\nreply destination address/port is used by the pending forwarded queries.\nHowever, it does not use the address/port to retrieve the exact forwarded\nquery, substantially reducing the number of attempts an attacker on the\nnetwork would have to perform to forge a reply and get it accepted by\ndnsmasq. This issue contrasts with RFC5452, which specifies a query's\nattributes that all must be used to match a reply. This flaw allows an\nattacker to perform a DNS Cache Poisoning attack. If chained with\nCVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful\nattack is reduced. The highest threat from this vulnerability is to data\nintegrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-25684", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-19T00:00:00", "id": "UB:CVE-2020-25684", "href": "https://ubuntu.com/security/CVE-2020-25684", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T13:57:29", "description": "A flaw was found in dnsmasq before version 2.83. When receiving a query,\ndnsmasq does not check for an existing pending request for the same name\nand forwards a new request. By default, a maximum of 150 pending queries\ncan be sent to upstream servers, so there can be at most 150 queries for\nthe same name. This flaw allows an off-path attacker on the network to\nsubstantially reduce the number of attempts that it would have to perform\nto forge a reply and have it accepted by dnsmasq. This issue is mentioned\nin the \"Birthday Attacks\" section of RFC5452. If chained with\nCVE-2020-25684, the attack complexity of a successful attack is reduced.\nThe highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-25686", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25686"], "modified": "2021-01-19T00:00:00", "id": "UB:CVE-2020-25686", "href": "https://ubuntu.com/security/CVE-2020-25686", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T13:57:28", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from\na forwarded query, dnsmasq checks in forward.c:reply_query(), which is the\nforwarded query that matches the reply, by only using a weak hash of the\nquery name. Due to the weak hash (CRC32 when dnsmasq is compiled without\nDNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find\nseveral different domains all having the same hash, substantially reducing\nthe number of attempts they would have to perform to forge a reply and get\nit accepted by dnsmasq. This is in contrast with RFC5452, which specifies\nthat the query name is one of the attributes of a query that must be used\nto match a reply. This flaw could be abused to perform a DNS Cache\nPoisoning attack. If chained with CVE-2020-25684 the attack complexity of a\nsuccessful attack is reduced. The highest threat from this vulnerability is\nto data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-25685", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685"], "modified": "2021-01-19T00:00:00", "id": "UB:CVE-2020-25685", "href": "https://ubuntu.com/security/CVE-2020-25685", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-12-03T18:24:36", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T16:15:00", "type": "debiancve", "title": "CVE-2020-25684", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-20T16:15:00", "id": "DEBIANCVE:CVE-2020-25684", "href": "https://security-tracker.debian.org/tracker/CVE-2020-25684", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T18:24:36", "description": "A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the \"Birthday Attacks\" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T17:15:00", "type": "debiancve", "title": "CVE-2020-25686", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25686"], "modified": "2021-01-20T17:15:00", "id": "DEBIANCVE:CVE-2020-25686", "href": "https://security-tracker.debian.org/tracker/CVE-2020-25686", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-03T18:24:36", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-20T16:15:00", "type": "debiancve", "title": "CVE-2020-25685", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685"], "modified": "2021-01-20T16:15:00", "id": "DEBIANCVE:CVE-2020-25685", "href": "https://security-tracker.debian.org/tracker/CVE-2020-25685", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2023-12-04T00:29:35", "description": "A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n#### Mitigation\n\nThe impact of this flaw can be reduced by disabling the dnsmasq cache by adding `--cache-size=0` when calling dnsmasq or by adding a line with `cache-size=0` to the dnsmasq configuration file (/etc/dnsmasq.conf by default). \n\n\nWhen using Red Hat Enterprise Linux 8.3 with libvirt through a virt:rhel module, use `virsh net-edit &lt;network-name&gt;` and reference <https://libvirt.org/formatnetwork.html#elementsNamespaces> to add the suggested option `cache-size=0`. \n\n\nThere is no way to customize the dnsmasq configuration generated by libvirt, when using versions of Red Hat Enterprise Linux prior to version 8.3. If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add `cache-size=0` to it. \n\n\nIn all cases, by disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system\u2019s environment before applying. \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T14:57:23", "type": "redhatcve", "title": "CVE-2020-25684", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-08-31T16:00:34", "id": "RH:CVE-2020-25684", "href": "https://access.redhat.com/security/cve/cve-2020-25684", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-04T00:29:39", "description": "A flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the \"Birthday Attacks\" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n#### Mitigation\n\nThe impact of this flaw can be reduced by disabling the dnsmasq cache by adding `--cache-size=0` when calling dnsmasq or by adding a line with `cache-size=0` to the dnsmasq configuration file (/etc/dnsmasq.conf by default). \n\n\nWhen using Red Hat Enterprise Linux 8.3 with libvirt through a virt:rhel module, use `virsh net-edit &lt;network-name&gt;` and reference <https://libvirt.org/formatnetwork.html#elementsNamespaces> to add the suggested option `cache-size=0`. \n\n\nThere is no way to customize the dnsmasq configuration generated by libvirt, when using versions of Red Hat Enterprise Linux prior to version 8.3. If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add `cache-size=0` to it. \n\n\nIn all cases, by disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system\u2019s environment before applying. \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T12:18:42", "type": "redhatcve", "title": "CVE-2020-25686", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25686"], "modified": "2023-08-31T16:00:58", "id": "RH:CVE-2020-25686", "href": "https://access.redhat.com/security/cve/cve-2020-25686", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-04T00:29:35", "description": "A flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.\n#### Mitigation\n\nThe impact of this flaw can be reduced by disabling the dnsmasq cache by adding `--cache-size=0` when calling dnsmasq or by adding a line with `cache-size=0` to the dnsmasq configuration file (/etc/dnsmasq.conf by default). \n\n\nWhen using Red Hat Enterprise Linux 8.3 with libvirt through a virt:rhel module, use `virsh net-edit &lt;network-name&gt;` and reference <https://libvirt.org/formatnetwork.html#elementsNamespaces> to add the suggested option `cache-size=0`. \n\n\nThere is no way to customize the dnsmasq configuration generated by libvirt, when using versions of Red Hat Enterprise Linux prior to version 8.3. If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add `cache-size=0` to it. \n\n\nIn all cases, by disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system\u2019s environment before applying. \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-19T12:18:11", "type": "redhatcve", "title": "CVE-2020-25685", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685"], "modified": "2023-08-31T16:00:44", "id": "RH:CVE-2020-25685", "href": "https://access.redhat.com/security/cve/cve-2020-25685", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-04T00:29:36", "description": "A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n#### Mitigation\n\nThe only known way to mitigate this flaw is to disable DNSSEC altogether, by removing the `--dnssec` command line option or the `dnssec` option from dnsmasq configuration file. \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T12:18:18", "type": "redhatcve", "title": "CVE-2020-25681", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2023-04-06T07:32:33", "id": "RH:CVE-2020-25681", "href": "https://access.redhat.com/security/cve/cve-2020-25681", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:24:34", "description": "[2.76-16.1]\n- Accept responses only on correct sockets (CVE-2020-25684)\n- Use strong verification on queries (CVE-2020-25685)\n- Handle multiple identical DNS queries better (CVE-2020-25686)\n- Link against nettle for sha256 hash implementation", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 3.7, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-01-19T00:00:00", "type": "oraclelinux", "title": "dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2021-01-19T00:00:00", "id": "ELSA-2021-0153", "href": "http://linux.oracle.com/errata/ELSA-2021-0153.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:24:32", "description": "[2.79-13.1]\n- Fix various issues in dnssec validation (CVE-2020-25681)\n- Accept responses only on correct sockets (CVE-2020-25684)\n- Use strong verification on queries (CVE-2020-25685)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-20T00:00:00", "type": "oraclelinux", "title": "dnsmasq security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25681", "CVE-2020-25682", "CVE-2020-25683", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-25687"], "modified": "2021-01-20T00:00:00", "id": "ELSA-2021-0150", "href": "http://linux.oracle.com/errata/ELSA-2021-0150.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "prion": [{"lastseen": "2023-11-22T01:31:07", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-01-20T16:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686"], "modified": "2023-11-07T03:20:00", "id": "PRION:CVE-2020-25684", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-25684", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-11-22T01:31:07", "description": "A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.", "cvss3": {"cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-01-20T16:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25684", "CVE-2020-25685"], "modified": "2023-11-07T03:20:00", "id": "PRION:CVE-2020-25685", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-25685", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-11-22T01:31:07", "description": "A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsma