Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210119123049.GB228699@fedorawork>
Date: Tue, 19 Jan 2021 13:30:49 +0100
From: Riccardo Schirone <rschiron@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Multiple CVEs in dnsmasq fixed in version 2.83

Hi,

Multiple issues were discovered in dnsmasq up to version 2.82, included, by
Moshe Kol (JSOF) and Shlomi Oberman (JSOF). It is recommended that you adopt
the latest update bringing your version of the software to 2.83.

Upstream release:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html
https://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.83.tar.gz

Reference:
https://www.jsof-tech.com/disclosures/dnspooq/



CVE-2020-25681
A heap-based buffer overflow was discovered in dnsmasq in the way it sorts
RRSets before validating them with DNSSEC data. An attacker on the network,
who can forge DNS replies such as that they are accepted as valid, could use
this flaw to cause an overflow with arbitrary data in a heap-allocated memory,
possibly executing code on the machine.

Relevant patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a

CVE-2020-25682
A buffer overflow vulnerability was discovered in the way dnsmasq extract
names from DNS packets before validating them with DNSSEC data. An attacker on
the network, who can create valid DNS replies, could use this flaw to cause an
overflow with arbitrary data in a heap-allocated memory, possibly executing
code on the machine. The flaw is in rfc1035.c:extract_name() function, which
writes data to the memory pointed by name assuming MAXDNAME*2 bytes are
available in the buffer. However, in some code execution paths it is possible
extract_name() gets passed an offset from the base buffer, thus reducing in
practice the number of available bytes that can be written in the buffer.

Relevant patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a

CVE-2020-25683
A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled
and before it validates the received DNS entries. A remote attacker, who can
create valid DNS replies, could use this flaw to cause an overflow in a
heap-allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code execute
memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq,
resulting in a Denial of Service.

Relevant patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a

CVE-2020-25684
A flaw was found when getting a reply from a forwarded query, where dnsmasq
checks in forward.c:reply_query() if the reply destination address/port is
used by the pending forwarded queries. However, it does not use the
address/port to retrieve the exact forwarded query, substantially reducing the
number of attempts an attacker on the network would have to perform to forge a
reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which
specifies a query's attributes that all must be used to match a reply. This
flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained
with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful
attack is reduced.

Relevant patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca

CVE-2020-25685
When getting a reply from a forwarded query, dnsmasq checks in
forward.c:reply_query() which one is the forwarded query that matches the
reply, by only using a weak hash of the query name. Due to the weak hash
(CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) an off-path
attacker can find several different domains all having the same hash,
substantially reducing the number of attempts he would have to perform to
forge a reply and get it accepted by dnsmasq. This is in contrast with
RFC5452, which specifies that query name is one of the attributes of a query
that must be used to match a reply. This flaw could be abused to perform a DNS
Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity
of a successful attack is reduced.

Relevant patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2d765867c597db18be9d876c9c17e2c0fe1953cd
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b

CVE-2020-25686
A flaw was found when receiving a query, where dnsmasq does not check for an
existing pending request for the same name and forwards a new request. By
default, a maximum of 150 pending queries can be sent to upstream servers, so
there can be at most 150 queries for the same name. This flaw allows an
off-path attacker on the network to substantially reduce the number of
attempts that would have to be performed to forge a reply and have it accepted
by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of
RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful
attack is reduced.

Relevant patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914

CVE-2020-25687
A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled
and before it validates the received DNS entries. A remote attacker, who can
create valid DNS replies, could use this flaw to cause an overflow in a
heap-allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code execute
memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq,
resulting in a Denial of Service.

Relevant patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a


Thanks,
-- 
Riccardo Schirone
Red Hat -- Product Security
Email: rschiron@...hat.com
PGP-Key ID: CF96E110

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.