1882018 – (CVE-2020-25683) CVE-2020-25683 dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled

Bug 1882018 (CVE-2020-25683) - CVE-2020-25683 dnsmasq: heap-based buffer overflow with large memcpy in get_rdata() when DNSSEC is enabled

Summary: CVE-2020-25683 dnsmasq: heap-based buffer overflow with large memcpy in get_r...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-25683
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1896029 1896030 1896031 1896032 1917783 1917789
Blocks:	1875522
TreeView+	depends on / blocked

Reported:	2020-09-23 15:34 UTC by Riccardo Schirone
Modified:	2022-04-17 21:01 UTC (History)
CC List:	19 users (show)
Fixed In Version:	dnsmasq 2.83
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-01-19 17:59:16 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:0199	None	None	None	2021-01-20 18:19:06 UTC
Red Hat Product Errata	RHSA-2021:0150	None	None	None	2021-01-19 13:16:41 UTC
Red Hat Product Errata	RHSA-2021:0151	None	None	None	2021-01-19 13:34:15 UTC
Red Hat Product Errata	RHSA-2021:0152	None	None	None	2021-01-19 13:11:43 UTC

Description Riccardo Schirone 2020-09-23 15:34:33 UTC

An heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq.

Comment 6 Riccardo Schirone 2020-11-04 13:50:16 UTC

To trigger the flaw, dnsmasq has to be compiled with HAVE_DNSSEC flag and DNSSEC has to be enabled (e.g. with --dnssec option). Moreover, the attacker shall either control a DNS server used in the domain name resolution process or be able to inject packets on the network in such a way to trick dnsmasq into accepting them (e.g. guessing the ID, random port used, etc.). To be involved in the domain name resolution process, an attacker could trick a victim which uses dnsmasq into accessing some resources on a controlled domain, e.g. trick the user to visit a website or open an email. If the dnsmasq service is an Open Resolver (it accepts requests from the whole Internet) or the attacker is on the internal network covered by dnsmasq, the attack can be performed at will by the attacker, without requiring any other user interaction.

Comment 17 Riccardo Schirone 2021-01-19 11:31:26 UTC

Acknowledgments:

Name: Moshe Kol (JSOF), Shlomi Oberman (JSOF)

Comment 18 Riccardo Schirone 2021-01-19 11:31:29 UTC

Statement:

This issue does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they are not compiled with DNSSEC support.

Comment 19 Riccardo Schirone 2021-01-19 11:31:32 UTC

External References:

https://www.jsof-tech.com/disclosures/dnspooq/

Comment 20 Riccardo Schirone 2021-01-19 11:31:36 UTC

Mitigation:

The only known way to mitigate this flaw is to disable DNSSEC altogether, by removing the `--dnssec` command line option or the `dnssec` option from dnsmasq configuration file.

Comment 21 Riccardo Schirone 2021-01-19 11:56:32 UTC

Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1917783]

Comment 23 errata-xmlrpc 2021-01-19 13:11:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0152 https://access.redhat.com/errata/RHSA-2021:0152

Comment 24 errata-xmlrpc 2021-01-19 13:16:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0150 https://access.redhat.com/errata/RHSA-2021:0150

Comment 25 Riccardo Schirone 2021-01-19 13:22:20 UTC

Upstream patch:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a

Comment 26 errata-xmlrpc 2021-01-19 13:34:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0151 https://access.redhat.com/errata/RHSA-2021:0151

Comment 27 Product Security DevOps Team 2021-01-19 17:59:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25683

Note You need to log in before you can comment on or make changes to this bug.