First published: Tue Oct 20 2020(Updated: )
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/dnsmasq | 2.80-1+deb10u1 2.85-1 2.89-1 | |
Thekelleys Dnsmasq | <2.83 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Debian Debian Linux | =10.0 | |
Arista EOS | >=4.21<4.21.14m | |
Arista EOS | >=4.22<4.22.9m | |
Arista EOS | >=4.23<4.23.7m | |
Arista EOS | >=4.24<4.24.5m | |
Arista EOS | >=4.25<4.25.2f | |
redhat/dnsmasq | <2.83 | 2.83 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-25685 is a vulnerability in dnsmasq before version 2.83 that allows remote attackers to bypass DNSSEC validation.
CVE-2020-25685 allows attackers to exploit a weak hash function in dnsmasq, potentially leading to DNS cache poisoning.
Versions of dnsmasq older than 2.83 are affected by CVE-2020-25685.
CVE-2020-25685 has a severity rating of medium, with a CVSS score of 3.7.
To mitigate CVE-2020-25685, update dnsmasq to version 2.83 or later.