Arch Linux Security Advisory ASA-202101-38
==========================================

Severity: High
Date    : 2021-01-20
CVE-ID  : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684
          CVE-2020-25685 CVE-2020-25686 CVE-2020-25687
Package : dnsmasq
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1470

Summary
=======

The package dnsmasq before version 2.83-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
insufficient validation.

Resolution
==========

Upgrade to 2.83-1.

# pacman -Syu "dnsmasq>=2.83-1"

The problems have been fixed upstream in version 2.83.

Workaround
==========

None.

Description
===========

- CVE-2020-25681 (arbitrary code execution)

A heap-based buffer overflow was discovered in dnsmasq before version
2.83 in the way it sorts RRSets before validating them with DNSSEC
data. An attacker on the network, who can forge DNS replies such as
that they are accepted as valid, could use this flaw to cause an
overflow with arbitrary data in a heap-allocated memory, possibly
executing code on the machine.

- CVE-2020-25682 (arbitrary code execution)

A buffer overflow vulnerability was discovered in the way dnsmasq
before version 2.83 extract names from DNS packets before validating
them with DNSSEC data. An attacker on the network, who can create valid
DNS replies, could use this flaw to cause an overflow with arbitrary
data in a heap-allocated memory, possibly executing code on the
machine. The flaw is in rfc1035.c:extract_name() function, which writes
data to the memory pointed by name assuming MAXDNAME*2 bytes are
available in the buffer. However, in some code execution paths it is
possible extract_name() gets passed an offset from the base buffer,
thus reducing in practice the number of available bytes that can be
written in the buffer.

- CVE-2020-25683 (denial of service)

A heap-based buffer overflow was discovered in dnsmasq before version
2.83 when DNSSEC is enabled and before it validates the received DNS
entries. A remote attacker, who can create valid DNS replies, could use
this flaw to cause an overflow in a heap-allocated memory. This flaw is
caused by the lack of length checks in rtc1035.c:extract_name(), which
could be abused to make the code execute memcpy() with a negative size
in get_rdata() and cause a crash in dnsmasq, resulting in a Denial of
Service.

- CVE-2020-25684 (insufficient validation)

A flaw was found when getting a reply from a forwarded query, where
dnsmasq before version 2.83 checks in forward.c:reply_query() if the
reply destination address/port is used by the pending forwarded
queries. However, it does not use the address/port to retrieve the
exact forwarded query, substantially reducing the number of attempts an
attacker on the network would have to perform to forge a reply and get
it accepted by dnsmasq. This issue contrasts with RFC5452, which
specifies a query's attributes that all must be used to match a reply.
This flaw allows an attacker to perform a DNS Cache Poisoning attack.
If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity
of a successful attack is reduced.

- CVE-2020-25685 (insufficient validation)

When getting a reply from a forwarded query, dnsmasq before version
2.83 checks in forward.c:reply_query() which one is the forwarded query
that matches the reply by only using a weak hash of the query name. Due
to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1
when it is) an off-path attacker can find several different domains all
having the same hash, substantially reducing the number of attempts he
would have to perform to forge a reply and get it accepted by dnsmasq.
This is in contrast with RFC5452, which specifies that query name is
one of the attributes of a query that must be used to match a reply.
This flaw could be abused to perform a DNS Cache Poisoning attack. If
chained with CVE-2020-25684 the attack complexity of a successful
attack is reduced.

- CVE-2020-25686 (insufficient validation)

A flaw was found when receiving a query, where dnsmasq before version
2.83 does not check for an existing pending request for the same name
and forwards a new request. By default, a maximum of 150 pending
queries can be sent to upstream servers, so there can be at most 150
queries for the same name. This flaw allows an off-path attacker on the
network to substantially reduce the number of attempts that would have
to be performed to forge a reply and have it accepted by dnsmasq. This
issue is mentioned in the "Birthday Attacks" section of RFC5452. If
chained with CVE-2020-25684, the attack complexity of a successful
attack is reduced.

- CVE-2020-25687 (denial of service)

A heap-based buffer overflow was discovered in dnsmasq before version
2.83 when DNSSEC is enabled and before it validates the received DNS
entries. A remote attacker, who can create valid DNS replies, could use
this flaw to cause an overflow in a heap-allocated memory. This flaw is
caused by the lack of length checks in rtc1035.c:extract_name(), which
could be abused to make the code execute memcpy() with a negative size
in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.

Impact
======

A remote attacker can execute arbitrary code, bypass validation and
crash the application through crafted DNS responses.

References
==========

https://www.openwall.com/lists/oss-security/2021/01/19/1
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html
https://www.jsof-tech.com/disclosures/dnspooq/
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2d765867c597db18be9d876c9c17e2c0fe1953cd
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=15b60ddf935a531269bb8c68198de012a4967156
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914
https://security.archlinux.org/CVE-2020-25681
https://security.archlinux.org/CVE-2020-25682
https://security.archlinux.org/CVE-2020-25683
https://security.archlinux.org/CVE-2020-25684
https://security.archlinux.org/CVE-2020-25685
https://security.archlinux.org/CVE-2020-25686
https://security.archlinux.org/CVE-2020-25687