Remote Yes

Type Content spoofing

Description

A security issue was found in dnsmasq before version 2.85. When configured with --server=<address>@<interface> or similar (e.g. through dbus), dnsmasq configures a fixed UDP port for all outgoing queries to the specified upstream DNS server. If an attacker is able to discover the opened port through other means (e.g. port scanning, guessing or sniffing), they would just have to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw could be abused to perform a DNS Cache Poisoning attack.

AVG-1703 dnsmasq 2.84-1 Medium Vulnerable

https://bugzilla.redhat.com/show_bug.cgi?id=1939368
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2

Workaround
==========

The flaw can be prevented by removing the --server=<address>@<interface> option or by removing the directive server=<address>@<interface>. If dnsmasq is being run through NetworkManager, please be aware that NetworkManager automatically configures dnsmasq to use the server=<address>@<interface> directive, thus in this case the only way to prevent the flaw is to remove dns=dnsmasq from the /etc/NetworkManager/NetworkManager.conf file.

If the server=<address>@<interface> must be kept active, the impact of this flaw can be reduced by disabling the dnsmasq cache by adding --cache-size=0 when calling dnsmasq or by adding a line with cache-size=0 to the dnsmasq configuration file (/etc/dnsmasq.conf by default). If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add cache-size=0 to it.

By disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system’s environment before applying.