Описание
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option local-service is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option local-service is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
Отчет
Even though Red Hat Enterprise Linux 8 and Fedora do not ship a secure default, they have firewalld service enabled by default, which denies incoming DNS queries, preventing this potential attack vector. In Red Hat OpenStack Platform 13, the dnsmasq package is pulled directly from the RHEL channel and not the RHOSP channel. RHOSP is therefore unaffected, but please ensure that the underlying Red Hat Enterprise Linux dnsmasq package is current.
Меры по смягчению последствий
To restrict the DNS server to queries coming from the local subnet, add local-service to your /etc/dnsmasq.conf file or in a file in /etc/dnsmasq.d. A firewall can be configured for additional protection against undesired traffic.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | dnsmasq | Out of support scope | ||
| Red Hat Enterprise Linux 6 | dnsmasq | Out of support scope | ||
| Red Hat Enterprise Linux 7 | dnsmasq | Will not fix | ||
| Red Hat Enterprise Linux 8 | dnsmasq | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | dnsmasq | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | dnsmasq | Not affected |
Показывать по
Дополнительная информация
Статус:
4 Medium
CVSS3
Связанные уязвимости
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
A flaw was found in the default configuration of dnsmasq, as shipped w ...
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
4 Medium
CVSS3