CVE-2021-3448

Published: 8 April 2021

A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.

Notes

This issue only affects dnsmasq in non-default configurations
where the server=<address>@<interface> option is used. In those
environments, this issue can be prevented by disabling cache by
also using a cache-size=0 configuration option.

For the dnsmasq instance used by Network-Manager, it is not
vulnerable to this issue as Ubuntu disables caching by
default. (See Update-dnsmasq-parameters.patch in the
network-manager package)

Status

Severity score breakdown

References

• https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014835.html
• https://ubuntu.com/security/notices/USN-4976-1
• https://ubuntu.com/security/notices/USN-4976-2
• https://www.cve.org/CVERecord?id=CVE-2021-3448
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.redhat.com/show_bug.cgi?id=1939368