Vulnerability DatabaseCVE-2023-28450

CVE-2023-28450:
NixOS vulnerability analysis and mitigation

Overview

An issue was discovered in Dnsmasq before version 2.90, identified as CVE-2023-28450. The vulnerability relates to an incorrect default configuration where the maximum EDNS.0 UDP packet size was set to 4096 bytes instead of the recommended 1232 bytes as specified by DNS Flag Day 2020 (NVD).

Technical details

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically relates to the default configuration of EDNS.0 UDP packet size in Dnsmasq, which was set to a value significantly higher than recommended by DNS Flag Day 2020 standards (NVD, Ubuntu).

Impact

The misconfiguration of the EDNS.0 UDP packet size could potentially lead to availability issues in DNS services. The high CVSS score primarily reflects the potential impact on system availability, with no direct effect on confidentiality or integrity of the system (NVD).

Mitigation and workarounds

The vulnerability has been fixed in Dnsmasq version 2.90 and later releases. Various Linux distributions have released security updates to address this issue. For example, Fedora has released updates (dnsmasq-2.89-2) that limit the offered EDNS0 size to 1232 (Fedora).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.5

Score

Published March 15, 2023

Severity HIGH

CNA Score 7.5

Affected Technologies

NixOS
dnsmasq

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 1

Exploitation Probability (EPSS) N/A

Affected packages and libraries

dnsmasq
dnsmasq-debuginfo

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Nov 28, 2023
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Nov 16, 2023
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12, 3.13 Severity HIGHHas FixAdded at: Dec 03, 2023
- Alpine 3.14, 3.15, 3.16, 3.17 Severity HIGHHas FixAdded at: Apr 02, 2023
- Alpine 3.18 Severity HIGHHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine edge Severity HIGHHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity HIGHHas FixAdded at: Jun 10, 2023
Debian Security Tracker
- Debian 10 Severity MEDIUMNo FixAdded at: Mar 16, 2023
- Debian 11, 12 Severity HIGHHas FixAdded at: Mar 16, 2023
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Dec 08, 2024
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Nov 01, 2023
Photon Security Advisory
- Photon 3.0, 4.0 Severity HIGHHas FixAdded at: Apr 11, 2023
- Photon 5.0 Severity HIGHHas FixAdded at: Jul 16, 2023
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Mar 16, 2023
- Red Hat 8 Severity MEDIUMHas FixAdded at: Mar 16, 2023
- Red Hat 9 Severity MEDIUMHas FixAdded at: Mar 16, 2023
Ubuntu Security Tracker
- Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04, 22.10 Severity LOWHas FixAdded at: Apr 22, 2023
- Ubuntu 23.10 Severity LOWHas FixAdded at: Feb 18, 2024
- Ubuntu 24.04 Severity LOWHas FixAdded at: May 06, 2024