Bug 1881875 (CVE-2020-25681) - CVE-2020-25681 dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSEC is enabled
Summary: CVE-2020-25681 dnsmasq: heap-based buffer overflow in sort_rrset() when DNSSE...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25681
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1890154 1890155 1890156 1890157 1896021 1896022 1896023 1896025 1917781 1917786
Blocks: 1875522 1892795
TreeView+ depends on / blocked
 
Reported: 2020-09-23 09:39 UTC by Riccardo Schirone
Modified: 2021-02-16 19:12 UTC (History)
27 users (show)

Fixed In Version: dnsmasq 2.83
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-01-19 17:59:06 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0199 0 None None None 2021-01-20 18:19:02 UTC
Red Hat Product Errata RHSA-2021:0150 0 None None None 2021-01-19 13:16:40 UTC
Red Hat Product Errata RHSA-2021:0151 0 None None None 2021-01-19 13:34:10 UTC
Red Hat Product Errata RHSA-2021:0152 0 None None None 2021-01-19 13:11:42 UTC

Description Riccardo Schirone 2020-09-23 09:39:17 UTC
An heap-based buffer overflow was discovered in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data. An attacker, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine.

Comment 1 Riccardo Schirone 2020-09-23 09:54:15 UTC
To trigger the flaw, dnsmasq has to be compiled with HAVE_DNSSEC flag and DNSSEC has to be enabled (e.g. with --dnssec option). Moreover, the attacker shall either control a DNS server used in the domain name resolution process or be able to inject packets on the network in such a way to trick dnsmasq into accepting them (e.g. guessing the ID, random port used, etc.). To be involved in the domain name resolution process, an attacker could trick a victim which uses dnsmasq into accessing some resources on a controlled domain, e.g. trick the user to visit a website or open an email.

Comment 3 Riccardo Schirone 2020-09-23 10:01:59 UTC
The flaw lies in dnssec.c:sort_rrset() and it can be triggered in two ways though the issue is the same. Function sort_rrset() works indeed on two buffers, buff1 and buff2, and it does almost the same operation on both, thus it is possible to trigger the flaw on one or the other buffer.

When get_rdata() returns 0, a `memcpy (buffX + leftX, pX, lenX)` is performed, where X could be 1 or 2, based on the buffer it is working on. However `lenX` is computed based on `endX`, which is directly under the attacker control as it comes from RDLENGTH field of the DNS reply. By providing specially crafted DNS replies, an attacker can overflow buff1 or buff2 with arbitrary data.

Comment 5 lnacshon 2020-10-21 14:31:59 UTC
According to OSD 3 architecture dnsmasq is automatically configured on all masters and nodes. The pods use the nodes as their DNS, and the nodes forward the requests. And not seems to be a part of RHEL 7. 
Seems that all OSD 3 services may be affected by this dnsmasq.

Comment 8 lnacshon 2020-10-21 18:23:44 UTC
OSDv4 uses the dns operator (which uses CoreDNS) instead of dnsmasq, so its not affected

Comment 23 Summer Long 2020-11-30 02:03:59 UTC
Statement:

This issue does not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they are not compiled with DNSSEC support.

Comment 26 Eric Christensen 2021-01-14 19:38:15 UTC
Mitigation:

The only known way to mitigate this flaw is to disable DNSSEC altogether, by removing the `--dnssec` command line option or the `dnssec` option from dnsmasq configuration file.

Comment 27 Riccardo Schirone 2021-01-15 17:12:22 UTC
Acknowledgments:

Name: Moshe Kol (JSOF), Shlomi Oberman (JSOF)

Comment 28 Riccardo Schirone 2021-01-19 11:23:07 UTC
External References:

https://www.jsof-tech.com/disclosures/dnspooq/

Comment 29 Riccardo Schirone 2021-01-19 11:56:28 UTC
Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1917781]

Comment 31 errata-xmlrpc 2021-01-19 13:12:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0152 https://access.redhat.com/errata/RHSA-2021:0152

Comment 32 errata-xmlrpc 2021-01-19 13:16:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0150 https://access.redhat.com/errata/RHSA-2021:0150

Comment 34 errata-xmlrpc 2021-01-19 13:34:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0151 https://access.redhat.com/errata/RHSA-2021:0151

Comment 35 Product Security DevOps Team 2021-01-19 17:59:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25681


Note You need to log in before you can comment on or make changes to this bug.