Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1891568 (CVE-2020-25687)
Summary: | CVE-2020-25687 dnsmasq: heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Riccardo Schirone <rschiron> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aegorenk, code, dbecker, dns-sig, dougsland, itamar, jima, jjoyce, jschluet, jsvoboda, laine, lhh, lpeer, mburns, pemensik, sclewis, security-response-team, slinaber, veillard |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | dnsmasq 2.83 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-01-19 17:59:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1896033, 1896034, 1896035, 1896036, 1917790, 1917796 | ||
Bug Blocks: |
Description
Riccardo Schirone
2020-10-26 16:25:41 UTC
To trigger the flaw, dnsmasq has to be compiled with HAVE_DNSSEC flag and DNSSEC has to be enabled (e.g. with --dnssec option). Moreover, the attacker shall either control a DNS server used in the domain name resolution process or be able to inject packets on the network in such a way to trick dnsmasq into accepting them (e.g. guessing the ID, random port used, etc.). To be involved in the domain name resolution process, an attacker could trick a victim which uses dnsmasq into accessing some resources on a controlled domain, e.g. trick the user to visit a website or open an email. If the dnsmasq service is an Open Resolver (it accepts requests from the whole Internet) or the attacker is on the internal network covered by dnsmasq, the attack can be performed at will by the attacker, without requiring any other user interaction. Acknowledgments: Name: Moshe Kol (JSOF), Shlomi Oberman (JSOF) Statement: This issue does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they are not compiled with DNSSEC support. External References: https://www.jsof-tech.com/disclosures/dnspooq/ Mitigation: The only known way to mitigate this flaw is to disable DNSSEC altogether, by removing the `--dnssec` command line option or the `dnssec` option from dnsmasq configuration file. Created dnsmasq tracking bugs for this issue: Affects: fedora-all [bug 1917796] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0152 https://access.redhat.com/errata/RHSA-2021:0152 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0150 https://access.redhat.com/errata/RHSA-2021:0150 Upstream patch: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0151 https://access.redhat.com/errata/RHSA-2021:0151 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25687 |