CVE-2005-0877

Vulnerability

Dnsmasq versions prior to 2.21 are vulnerable to DNS cache poisoning. The flaw resides in the lack of verification that incoming DNS responses correspond to queries actually issued by the server, enabling a remote attacker to inject arbitrary DNS records into the cache. The attack requires no prior authentication or special configuration beyond the default behavior of the caching resolver.

Exploitation

An attacker with network access to the Dnsmasq instance can send spoofed DNS responses that appear to come from an authoritative nameserver. Because the server does not validate that the response matches an outstanding query, the crafted answer is accepted and stored in its cache. The attacker may need to race against legitimate responses, but predictable transaction IDs (common in older versions) reduce the difficulty.

Impact

Successful exploitation allows the attacker to poison the DNS cache, redirecting users to malicious hosts for domains they legitimately request. This can lead to credential theft, malware delivery, or further compromise of network services, as clients are silently directed to attacker-controlled endpoints. The scope is broad, affecting all clients that rely on the affected Dnsmasq instance for DNS resolution.

Mitigation

Upgrade to Dnsmasq 2.21 or later, which introduces proper query-response matching to prevent acceptance of unsolicited DNS answers [1]. No workaround other than patching is available; the vulnerability was fixed in the release dated before 2005-05-02. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog.