Fixed
Created: Jan 19, 2021
Updated: Apr 1, 2021
Resolved Date: Apr 1, 2021
Found In Version: 10.17.41.1
Severity: Standard
Applicable for: Wind River Linux LTS 17
Component/s: Userspace
When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query() which one is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) an attacker can find several different domains all having the same hash, substantially reducing the number of attempts he would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack.
Upstream patches:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2d765867c597db18be9d876c9c17e2c0fe1953cd
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b
CREATE(Triage):(User=admin) [CVE-2020-25685|https://nvd.nist.gov/vuln/detail/CVE-2020-25685]
