CVE-2020-14312

06.02.2021, 00:15

A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Vendor	Product	Version
fedoraproject	fedora	𝑥 < 31

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dnsmasq

bullseye	2.85-1 fixed
bookworm	2.89-1 fixed
sid	2.90-4 fixed
trixie	2.90-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

dnsmasq

focal	not-affected
eoan	not-affected
bionic	not-affected
xenial	not-affected
trusty	ignored

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1851342