Описание
A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
A flaw was found in dnsmasq. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
Меры по смягчению последствий
The flaw can be prevented by removing --server=<address>@<interface> option or by removing the directive server=<address>@<interface>. If dnsmasq is being run through NetworkManager, please be aware that NetworkManager automatically configures dnsmasq to use the server=<address>@<interface> directive, thus in this case the only way to prevent the flaw is to remove dns=dnsmasq from /etc/NetworkManager/NetworkManager.conf file.
If the server=<address>@<interface> must be kept active, the impact of this flaw can be reduced by disabling the dnsmasq cache by adding --cache-size=0 when calling dnsmasq or by adding a line with cache-size=0 to the dnsmasq configuration file (/etc/dnsmasq.conf by default). If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add cache-size=0 to it.
By disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system’s environment before applying.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | dnsmasq | Out of support scope | ||
| Red Hat Enterprise Linux 7 | dnsmasq | Out of support scope | ||
| Red Hat Enterprise Linux 9 | dnsmasq | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | dnsmasq | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | dnsmasq | Not affected | ||
| Red Hat Enterprise Linux 8 | dnsmasq | Fixed | RHSA-2021:4153 | 09.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
4 Medium
CVSS3
Связанные уязвимости
A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
A flaw was found in dnsmasq in versions before 2.85. When configured t ...
EPSS
4 Medium
CVSS3