CVE-2020-25685: Weak Encryption
First published: Tue Oct 20 2020(Updated: )
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/dnsmasq | 2.80-1+deb10u1 2.85-1 2.89-1 | |
| Thekelleys Dnsmasq | <2.83 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Debian Debian Linux | =10.0 | |
| Arista EOS | >=4.21<4.21.14m | |
| Arista EOS | >=4.22<4.22.9m | |
| Arista EOS | >=4.23<4.23.7m | |
| Arista EOS | >=4.24<4.24.5m | |
| Arista EOS | >=4.25<4.25.2f | |
| redhat/dnsmasq | <2.83 | 2.83 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.openwall.com/lists/oss-security/2021/01/19/1
- https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2d765867c597db18be9d876c9c17e2c0fe1953cd
- https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b
- https://security-tracker.debian.org/tracker/CVE-2020-25685
- https://bugzilla.redhat.com/show_bug.cgi?id=1889688
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/
- https://security.gentoo.org/glsa/202101-17
- https://www.arista.com/en/support/advisories-notices/security-advisories/12135-security-advisory-61
- https://www.debian.org/security/2021/dsa-4844
- https://www.jsof-tech.com/disclosures/dnspooq/
- https://libvirt.org/formatnetwork.html#elementsNamespaces
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1917785
- https://access.redhat.com/errata/RHSA-2021:0152
- https://access.redhat.com/errata/RHSA-2021:0150
- http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2d765867c597db18be9d876c9c17e2c0fe1953cd
- http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b
- https://access.redhat.com/errata/RHSA-2021:0151
- https://access.redhat.com/errata/RHSA-2021:0156
- https://access.redhat.com/errata/RHSA-2021:0153
- https://access.redhat.com/errata/RHSA-2021:0154
- https://access.redhat.com/errata/RHSA-2021:0155
- https://access.redhat.com/security/cve/cve-2020-25685
- https://access.redhat.com/errata/RHSA-2021:0240
- https://access.redhat.com/errata/RHSA-2021:0245
- https://access.redhat.com/errata/RHSA-2021:0395
- https://access.redhat.com/errata/RHSA-2021:0401
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/
Frequently Asked Questions
What is CVE-2020-25685?
CVE-2020-25685 is a vulnerability in dnsmasq before version 2.83 that allows remote attackers to bypass DNSSEC validation.
How does CVE-2020-25685 impact dnsmasq?
CVE-2020-25685 allows attackers to exploit a weak hash function in dnsmasq, potentially leading to DNS cache poisoning.
Which versions of dnsmasq are affected by CVE-2020-25685?
Versions of dnsmasq older than 2.83 are affected by CVE-2020-25685.
What is the severity of CVE-2020-25685?
CVE-2020-25685 has a severity rating of medium, with a CVSS score of 3.7.
How can I mitigate CVE-2020-25685?
To mitigate CVE-2020-25685, update dnsmasq to version 2.83 or later.
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25685
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/thekelleys
- canonical/thekelleys dnsmasq
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/arista
- canonical/arista eos
- version/arista eos/4.21
- version/arista eos/4.22
- version/arista eos/4.23
- version/arista eos/4.24
- version/arista eos/4.25
- package-manager/redhat