Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1882014 (CVE-2020-25682)

Summary: CVE-2020-25682 dnsmasq: buffer overflow in extract_name() due to missing length check when DNSSEC is enabled
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aegorenk, code, dbecker, dns-sig, dougsland, itamar, jima, jjoyce, jschluet, jsvoboda, laine, lhh, lpeer, mburns, pemensik, sclewis, security-response-team, slinaber, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnsmasq 2.83 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-19 17:59:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1896024, 1896026, 1896027, 1896028, 1917782, 1917788    
Bug Blocks:    

Description Riccardo Schirone 2020-09-23 15:24:28 UTC
A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in rfc1035.c:extract_name() function, which writes data to the memory pointed by `name` assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths it is possible extract_name() gets passed an offset from the base buffer, thus reducing in practice the number of available bytes that can be written in the buffer.

Comment 6 Riccardo Schirone 2020-11-04 13:50:03 UTC
To trigger the flaw, dnsmasq has to be compiled with HAVE_DNSSEC flag and DNSSEC has to be enabled (e.g. with --dnssec option). Moreover, the attacker shall either control a DNS server used in the domain name resolution process or be able to inject packets on the network in such a way to trick dnsmasq into accepting them (e.g. guessing the ID, random port used, etc.). To be involved in the domain name resolution process, an attacker could trick a victim which uses dnsmasq into accessing some resources on a controlled domain, e.g. trick the user to visit a website or open an email. If the dnsmasq service is an Open Resolver (it accepts requests from the whole Internet) or the attacker is on the internal network covered by dnsmasq, the attack can be performed at will by the attacker, without requiring any other user interaction.

Comment 18 Riccardo Schirone 2021-01-19 11:30:12 UTC
Acknowledgments:

Name: Moshe Kol (JSOF), Shlomi Oberman (JSOF)

Comment 19 Riccardo Schirone 2021-01-19 11:30:15 UTC
Statement:

This issue does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they are not compiled with DNSSEC support.

Comment 20 Riccardo Schirone 2021-01-19 11:30:19 UTC
External References:

https://www.jsof-tech.com/disclosures/dnspooq/

Comment 21 Riccardo Schirone 2021-01-19 11:30:22 UTC
Mitigation:

The only known way to mitigate this flaw is to disable DNSSEC altogether, by removing the `--dnssec` command line option or the `dnssec` option from dnsmasq configuration file.

Comment 22 Riccardo Schirone 2021-01-19 11:56:26 UTC
Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1917782]

Comment 24 errata-xmlrpc 2021-01-19 13:11:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0152 https://access.redhat.com/errata/RHSA-2021:0152

Comment 25 errata-xmlrpc 2021-01-19 13:16:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0150 https://access.redhat.com/errata/RHSA-2021:0150

Comment 27 errata-xmlrpc 2021-01-19 13:34:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0151 https://access.redhat.com/errata/RHSA-2021:0151

Comment 28 Product Security DevOps Team 2021-01-19 17:59:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25682