Bug 1851342 (CVE-2020-14312) - CVE-2020-14312 dnsmasq: insecure default configuration makes it an open resolver
Summary: CVE-2020-14312 dnsmasq: insecure default configuration makes it an open resolver
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-14312
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1857573 1857574 1857575 1857576 1857577 1851870 1851871 1852373 2258062
Blocks: 1845529
TreeView+ depends on / blocked
 
Reported: 2020-06-26 09:24 UTC by Riccardo Schirone
Modified: 2024-01-12 13:40 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
Clone Of:
Environment:
Last Closed: 2021-10-28 09:54:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Riccardo Schirone 2020-06-26 09:24:59 UTC
dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, has a default configuration that makes it listen on any interface and accept queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Users that enable dnsmasq on their system with its default configuration may inadvertently make it an open resolver accessible from any address on the internet, potentially being involved in Distributed Denial of Service (DDoS) attacks against a victim.

Comment 9 Nick Tait 2020-06-30 01:31:19 UTC
Mitigation:

To restrict the DNS server to queries coming from the local subnet, add `local-service` to your /etc/dnsmasq.conf file or in a file in /etc/dnsmasq.d. A firewall can be configured for additional protection against undesired traffic.

Comment 10 Riccardo Schirone 2020-06-30 09:31:37 UTC
Acknowledgments:

Name: bdrpc

Comment 11 Riccardo Schirone 2020-06-30 09:53:57 UTC
Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1852373]

Comment 12 Summer Long 2020-07-05 21:23:40 UTC
Statement:

Even though Red Hat Enterprise Linux 8 and Fedora do not ship a secure default, they have firewalld service enabled by default, which denies incoming DNS queries, preventing this potential attack vector.

In Red Hat OpenStack Platform 13, the dnsmasq package is pulled directly from the RHEL channel and not the RHOSP channel. RHOSP is therefore unaffected, but please ensure that the underlying Red Hat Enterprise Linux dnsmasq package is current.

Comment 14 Riccardo Schirone 2020-07-29 07:36:58 UTC
So far this issue has been fixed in dnsmasq-2.81-4.fc32 and dnsmasq-2.80-16.fc31 .


Note You need to log in before you can comment on or make changes to this bug.