Bug 1851342 (CVE-2020-14312)

Summary: CVE-2020-14312 dnsmasq: insecure default configuration makes it an open resolver
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aegorenk, code, dominik.mierzejewski, dougsland, itamar, jima, jjoyce, jschluet, laine, lhh, lpeer, mburns, pemensik, sclewis, security-response-team, slinaber, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 09:54:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1851870, 1851871, 1852373, 1857573, 1857574, 1857575, 1857576, 1857577, 2258062    
Bug Blocks: 1845529    

Description Riccardo Schirone 2020-06-26 09:24:59 UTC 
dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, has a default configuration that makes it listen on any interface and accept queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Users that enable dnsmasq on their system with its default configuration may inadvertently make it an open resolver accessible from any address on the internet, potentially being involved in Distributed Denial of Service (DDoS) attacks against a victim.
Comment 9 Nick Tait 2020-06-30 01:31:19 UTC 
Mitigation:

To restrict the DNS server to queries coming from the local subnet, add `local-service` to your /etc/dnsmasq.conf file or in a file in /etc/dnsmasq.d. A firewall can be configured for additional protection against undesired traffic.
Comment 10 Riccardo Schirone 2020-06-30 09:31:37 UTC 
Acknowledgments:

Name: bdrpc
Comment 11 Riccardo Schirone 2020-06-30 09:53:57 UTC 
Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1852373]
Comment 12 Summer Long 2020-07-05 21:23:40 UTC 
Statement:

Even though Red Hat Enterprise Linux 8 and Fedora do not ship a secure default, they have firewalld service enabled by default, which denies incoming DNS queries, preventing this potential attack vector.

In Red Hat OpenStack Platform 13, the dnsmasq package is pulled directly from the RHEL channel and not the RHOSP channel. RHOSP is therefore unaffected, but please ensure that the underlying Red Hat Enterprise Linux dnsmasq package is current.
Comment 14 Riccardo Schirone 2020-07-29 07:36:58 UTC 
So far this issue has been fixed in dnsmasq-2.81-4.fc32 and dnsmasq-2.80-16.fc31 .