PublicDateAtUSN: 2021-01-19
Candidate: CVE-2020-25684
CRD: 2021-01-19
PublicDate: 2021-01-20 16:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684
 https://www.jsof-tech.com/disclosures/dnspooq/
 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html
 https://ubuntu.com/security/notices/USN-4698-1
Description:
 A flaw was found in dnsmasq before version 2.83. When getting a reply from
 a forwarded query, dnsmasq checks in the forward.c:reply_query() if the
 reply destination address/port is used by the pending forwarded queries.
 However, it does not use the address/port to retrieve the exact forwarded
 query, substantially reducing the number of attempts an attacker on the
 network would have to perform to forge a reply and get it accepted by
 dnsmasq. This issue contrasts with RFC5452, which specifies a query's
 attributes that all must be used to match a reply. This flaw allows an
 attacker to perform a DNS Cache Poisoning attack. If chained with
 CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful
 attack is reduced. The highest threat from this vulnerability is to data
 integrity.
Ubuntu-Description: 
Notes: 
Mitigation: 
Bugs: 
Priority: medium
Discovered-by: Moshe Kol and Shlomi Oberman
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N [3.7 LOW]


Patches_dnsmasq:
upstream_dnsmasq: released (2.83)
precise/esm_dnsmasq: ignored (end of ESM support, was needs-triage)
trusty_dnsmasq: ignored (out of standard support)
trusty/esm_dnsmasq: needs-triage
xenial_dnsmasq: released (2.75-1ubuntu0.16.04.7)
esm-infra/xenial_dnsmasq: released (2.75-1ubuntu0.16.04.7)
bionic_dnsmasq: released (2.79-1ubuntu0.2)
focal_dnsmasq: released (2.80-1.1ubuntu1.2)
groovy_dnsmasq: released (2.82-1ubuntu1.1)
hirsute_dnsmasq: released (2.82-1ubuntu2)
impish_dnsmasq: released (2.82-1ubuntu2)
jammy_dnsmasq: released (2.82-1ubuntu2)
devel_dnsmasq: released (2.82-1ubuntu2)