When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. The highest threat from this vulnerability is to data integrity.Ī flaw was found in dnsmasq before version 2.83. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. This issue is mentioned in the "Birthday Attacks" section of RFC5452. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. The highest threat from this vulnerability is to system availability.Ī flaw was found in dnsmasq before version 2.83.
#Fix cve 2017 14491 for mac code
This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw makes a DNS Cache Poisoning attack much easier. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.Ī flaw was found in dnsmasq in versions before 2.85.
Dnsmasq 2.86 has a heap-based buffer overflow in answer_request (called from FuzzAnswerTheRequest and fuzz_rfc1035.c).ĭnsmasq 2.86 has a heap-based buffer overflow in print_mac (called from log_packet and dhcp_reply).ĭnsmasq 2.86 has a heap-based buffer overflow in resize_packet (called from FuzzResizePacket and fuzz_rfc1035.c).ĭnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from answer_auth and FuzzAuth).ĭnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from hash_questions and fuzz_util.c).ĭnsmasq 2.86 has a heap-based buffer overflow in dhcp_reply (called from dhcp_packet and FuzzDhcp).ĭnsmasq 2.86 has a heap-based buffer overflow in check_bad_address (called from check_for_bogus_wildcard and FuzzCheckForBogusWildcard).Īn issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1.
0 kommentar(er)
