dnsmasq-2.48-18.0.1.AXS4
エラータID: AXSA:2021-1429:04
リリース日:
2021/02/08 Monday - 12:37
題名:
dnsmasq-2.48-18.0.1.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security fix]
- dnsmasq の forward.c の reply_query() には、ネットワーク上のリモートの攻撃者がクエリーからの応答を
偽造して DNS キャッシュポイズニング攻撃を引き起こすことの可能な脆弱性があります。(CVE-2020-25684)
- dnsmasq の forward.c の reply_query() には、転送したクエリーから応答を受信する際、弱いハッシュ値のみを
用いてチェックを行うため、ネットワーク上の攻撃者が同じハッシュ値を持つ複数の異なるドメインを見つけ
出すために off-path 攻撃を行い、クエリーの応答を偽造して DNS キャッシュポイズニング攻撃を
引き起こすことの可能な脆弱性があります。(CVE-2020-25685)
- dnsmasq には、クエリーを受信する際に同じ名前の既存の保留中のリクエストをチェックせずに
新しいリクエストを転送する問題があり、ネットワーク上の DNS の問い合わせルートにいない攻撃者が、
dnsmasqによって受け入れられるリプライを偽造することで、誕生日攻撃が可能な脆弱性があります。
(CVE-2020-25686)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-25684
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
CVE-2020-25685
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
CVE-2020-25686
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
追加情報:
N/A
ダウンロード:
SRPMS
- dnsmasq-2.48-18.0.1.AXS4.src.rpm
MD5: dfcff87d14f8e7d7d08dfdf3fb911f19
SHA-256: f71a385b5452b50815f251505af81b042a354f0fb29bb4b7601b5202ca52301a
Size: 324.34 kB
Asianux Server 4 for x86
- dnsmasq-2.48-18.0.1.AXS4.i686.rpm
MD5: 40549d925497bb8eb615e336b6943c26
SHA-256: fcc3db017ee25f53f216c1f73d1902829381af2cfcc8ccdaa46a6006b27cfcd8
Size: 147.18 kB
Asianux Server 4 for x86_64
- dnsmasq-2.48-18.0.1.AXS4.x86_64.rpm
MD5: 1e1328944877f86e5d5c6d7c9d91ba3a
SHA-256: 1760a1599c2265fc8ccac4d6367c65ed999de2a3036929100e41017307a20d09
Size: 150.37 kB
English