PT-2021-7236 · Dnsmasq+9 · Dnsmasq+9

Published

2021-04-08

·

Updated

2025-12-03

·

CVE-2021-3448

CVSS v2.0

4.3

Medium

VectorAV:N/AC:M/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions dnsmasq versions prior to 2.85
Description The issue is related to a flaw in the security check implementation for standard elements in the DNS server. This flaw can be exploited by a remote attacker to perform a DNS cache poisoning attack, which can compromise data integrity. An attacker on the network can forge a reply and get it accepted by dnsmasq by guessing the random transmission ID, as dnsmasq uses a fixed port while forwarding queries when configured to use a specific server for a given network interface.
Recommendations For versions prior to 2.85, update to version 2.85 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable DNS server to minimize the risk of exploitation. Avoid using the fixed port for forwarding queries until the issue is resolved.

Exploit

Fix

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-358

Related Identifiers

ALSA-2021:4153
ALT-PU-2021-1622
ALT-PU-2021-1638
ALT-PU-2021-1645
BDU:2022-04028
CESA-2021_4153
CVE-2021-3448
MGASA-2021-0231
OESA-2021-1189
OPENSUSE-SU-2021:1426-1
OPENSUSE-SU-2021:3530-1
OPENSUSE-SU-2021_1426-1
OPENSUSE-SU-2021_3530-1
OPENSUSE-SU-2024:10721-1
RHSA-2021:4153
RHSA-2021_4153
RLSA-2021:4153
SUSE-SU-2021:3530-1
SUSE-SU-2022:1288-1
SUSE-SU-2022:1289-1
SUSE-SU-2022:14940-1
SUSE-SU-2022:14941-1
SUSE-SU-2022_1288-1
SUSE-SU-2022_1289-1
SUSE-SU-2022_14941-1
USN-4976-1
USN-4976-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Dnsmasq