Home > Vulnerability Database > CVE-2020-25682

Mend.io Vulnerability Database

CVE-2020-25682

Good to know:

Date: January 20, 2021

A flaw was found in dnsmasq before 2.83. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Language: C

Severity Score

8.1

Related Resources (18)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/

Url: https://security.gentoo.org/glsa/202101-17

Url: https://security-tracker.debian.org/tracker/CVE-2020-25682

Url: https://security.archlinux.org/CVE-2020-25682

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1882014

Url: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/

Url: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/

Url: https://security.alpinelinux.org/vuln/CVE-2020-25682

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25682

Url: https://access.redhat.com/security/cve/CVE-2020-25682

Url: https://lists.debian.org/debian-lts-announce/2021/03/msg00027.html

Url: https://www.jsof-tech.com/disclosures/dnspooq/

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-25682

Url: https://www.debian.org/security/2021/dsa-4844

Url: https://www.mend.io/vulnerability-database/CVE-2020-25682

Severity Score

8.1

Weakness Type (CWE)

Out-of-bounds Write

CWE-787

Heap-based Buffer Overflow

CWE-122

Top Fix

Upgrade Version

Upgrade to version dnsmasq 2.83

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	8.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-25682

Good to know:

Date: January 20, 2021

Language: C

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?