Advisory ROSA-SA-2021-1823

Software: dnsmasq 2.76
OS: Cobalt 7.9

CVE-ID: CVE-2017-13704
CVE-Crit: HIGH
CVE-DESC: In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in the memset call gets a negative value. Since this is an unsigned value, memset writes up to 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff on 64-bit platforms, causing dnsmasq to crash.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-15107
CVE-Crit: HIGH
CVE-DESC: A vulnerability was discovered in the DNSSEC implementation of Dnsmasq up to and including version 2.78. NSEC records synthesized with wildcards could be misinterpreted to prove the absence of real hostnames.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25686
CVE-Crit: LOW
CVE-DESC: A bug was discovered in dnsmasq before version 2.83. When receiving a request, dnsmasq does not check an existing pending request with the same name and forwards a new request. By default, no more than 150 pending requests can be sent to upstream servers, so there can be no more than 150 requests for the same name. This drawback allows an attacker out of the way on the network to significantly reduce the number of attempts they would have to make to spoof a response and have it accepted by dnsmasq. This problem is mentioned in the “Birthday Attacks” section of RFC5452. When associated with CVE-2020-25684, the difficulty of a successful attack is reduced. The biggest threat from this vulnerability is to data integrity.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25685
CVE-Crit: LOW
CVE-DESC: a bug was discovered in dnsmasq before version 2.83. When receiving a response from a redirected query, dnsmasq checks forward.c: reply_query (), which is a redirected query that matches the response, using only a weak hash of the query name. Because of the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is), this flaw allows an out-of-path attacker to find several different domains with the same hash, which greatly reduces the number of attempts they will have to perform. perform to spoof the response and get it from dnsmasq. This is in contrast to RFC5452, which specifies that the request name is one of the request attributes that should be used to match the response. This vulnerability can be exploited to perform a DNS cache poisoning attack. By using the CVE-2020-25684 chain, the complexity of a successful attack is reduced. The biggest threat from this vulnerability is to data integrity.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25687
CVE-Crit: MEDIUM
CVE-DESC: A bug was discovered in dnsmasq before version 2.83. A heap-based buffer overflow was detected in dnsmasq when DNSSEC is enabled, but before it validates the DNS records received. This flaw allows a remote attacker, who can create valid DNS responses, to cause an overflow in the memory allocated by the heap. This flaw is caused by the lack of length checks in rfc1035.c: extract_name (), which could be exploited to cause code to execute memcpy () with a negative size in sort_rrset () and cause dnsmasq to fail, resulting in a denial of service. The biggest threat from this vulnerability is to system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25684
CVE-Crit: LOW
CVE-DESC: a bug was discovered in dnsmasq before version 2.83. When receiving a response from a forwarded request, dnsmasq checks in forward.c: reply_query () whether the address / port of the response recipient is used by pending forwarded requests. However, it does not use the address / port to receive the exact forwarded request, which greatly reduces the number of attempts an attacker on the network would have to make to spoof the response and accept it using dnsmasq. This problem differs from RFC5452, which specifies request attributes that all must be used to match the response. This flaw allows an attacker to perform a DNS cache poisoning attack. If the CVE-2020-25685 or CVE-2020-25686 chain is used, the difficulty of a successful attack is reduced. The biggest threat from this vulnerability is to data integrity.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25683
CVE-Crit: MEDIUM
CVE-DESC: A bug was discovered in dnsmasq before version 2.83. A heap-based buffer overflow was detected in dnsmasq when DNSSEC is enabled, but before it validates the DNS records received. A remote attacker who can create valid DNS responses could exploit this vulnerability to cause a heap-based memory overflow. This flaw is caused by the lack of length checks in rfc1035.c: extract_name (), which could be exploited to cause code to execute memcpy () with a negative size in get_rdata () and cause dnsmasq to fail, resulting in a denial of service. The biggest threat from this vulnerability is to system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25682
CVE-Crit: HIGH
CVE-DESC: A bug has been discovered in dnsmasq before version 2.83. A buffer overflow vulnerability was discovered in how dnsmasq extracts names from DNS packets before validating them with DNSSEC data. An attacker on the network who can create valid DNS responses could exploit this vulnerability to cause an overflow with arbitrary data in heap-allocated memory, possibly by executing code on the machine. The flaw lies in the rfc1035.c: extract_name () function, which writes data to memory specified by name, provided MAXDNAME * 2 bytes are available in the buffer. However, in some code execution paths it is possible that extract_name () gets an offset from the base buffer, which in practice reduces the number of available bytes that can be written to the buffer. The greatest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25681
CVE-Crit: HIGH
CVE-DESC: a bug was discovered in dnsmasq before version 2.83. A heap-based buffer overflow was detected in the RRSet sort method before validation with DNSSEC data. An attacker on the network who can spoof DNS responses, such as that they are accepted as valid, could exploit this vulnerability to cause a buffer overflow with arbitrary data in a heap memory segment, possibly by executing code on the machine. The greatest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-3448
CVE-Crit: MEDIUM
CVE-DESC: a bug was discovered in dnsmasq in versions prior to 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port when forwarding requests. An attacker on the network capable of finding the outgoing port used by dnsmasq need only guess a random transmission ID to spoof the response and have it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The biggest threat from this vulnerability is to data integrity.
CVE-STATUS: Default
CVE-REV: Default