CVE-2023-28450: Dnsmasq Default Maximum EDNS. UDP Packet Size Issue and Mitigation

A security vulnerability known as CVE-2023-28450 has been discovered in Dnsmasq before version 2.90. The default maximum Extension Mechanisms for DNS (EDNS.) UDP packet size was set to 4096 but should be reduced to 1232 to be compliant with DNS Flag Day 202 specifications. This improper configuration can lead to potential exploitation by attackers and subsequent denial of service (DoS) attacks. This article provides an overview of the issue, code snippets to help understand the problem, original references, and details on how to exploit and mitigate the vulnerability.

Affected Versions: Dnsmasq before 2.90

Impact: Potential exploitation by attackers leading to denial of service (DoS) attacks.

Provided by: DNS Flag Day Project (https://dnsflagday.net/)

Original references

1. DNS Flag Day - https://dnsflagday.net/202/
2. CVE details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-28450
3. Dnsmasq official page - http://www.thekelleys.org.uk/dnsmasq/doc.html

Issue Description

EDNS. is an extension of the DNS protocol that allows DNS clients and servers to exchange messages larger than the original DNS protocol's 512-byte limit. Nevertheless, during the DNS Flag Day 202 event, the Internet Engineering Task Force (IETF) specified that the new recommended default maximum EDNS. UDP packet size should be 1232 bytes, as large packets could be problematic in terms of fragmentation and unreliability for end-users.

Unfortunately, Dnsmasq had a default maximum EDNS. UDP packet size of 4096 bytes, which is significantly larger than the recommended value. As a result, the software becomes prone to fragmentation issues and might be vulnerable to attacks.

A code snippet demonstrating the problematic configuration in Dnsmasq before 2.90 can be seen below

//File: src/config.h

//Original configuration
#define PACKETSZ 4096 /* Maximum EDNS. UDP packet size before fragmentation */

//Correct configuration
#define PACKETSZ 1232 /* Maximum EDNS. UDP packet size after DNS Flag Day 202 */

Exploit Details

An attacker could exploit CVE-2023-28450 by sending a crafted UDP packet that exceeds the recommended size of 1232 bytes. Because Dnsmasq accepted packets up to 4096 bytes, it could potentially lead to fragmentation issues on the target system. In turn, this could trigger a denial of service (DoS) attack, causing the targeted DNS server to become unresponsive or inefficient.

Mitigation

To mitigate CVE-2023-28450, users should update their Dnsmasq installations to version 2.90 or later. This updated version implements the DNS Flag Day 202 recommendation of a maximum EDNS. UDP packet size of 1232 bytes, reducing the risk of potential exploitation.

If updating is not a possibility, users can manually adjust the default maximum EDNS. UDP packet size in Dnsmasq's configuration by changing the PACKETSZ value in the source code and recompiling the software.

In conclusion, promptly updating Dnsmasq to the latest version or manually adjusting the default maximum EDNS. UDP packet size will help to mitigate the CVE-2023-28450 vulnerability and protect from possible denial of service (DoS) attacks. It is essential for users to remain vigilant about the latest security updates and best practices to ensure the protection of their systems and networks.

Timeline

Published on: 03/15/2023 21:15:00 UTC
Last modified on: 04/17/2023 03:15:00 UTC