CVE-2021-3448 in Communications Cloud Native Core Network Function Cloud Native Environment
Summary
by MITRE • 04/09/2021
A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/03/2025
The vulnerability identified as CVE-2021-3448 resides within the dnsmasq DNS server implementation, specifically affecting versions prior to 2.85. This flaw represents a significant security weakness that directly impacts the integrity of DNS resolution processes. The vulnerability manifests when dnsmasq is configured to forward queries to specific upstream servers through designated network interfaces, creating a predictable communication pattern that adversaries can exploit. The issue fundamentally undermines the security model of DNS resolution by introducing a mechanism that allows for easier cache poisoning attacks through predictable port usage and transmission ID guessing.
The technical implementation flaw stems from dnsmasq's use of a fixed port when forwarding DNS queries to upstream servers while maintaining a predictable transmission ID generation process. This design choice creates a vulnerability where an attacker positioned within the network can monitor traffic to identify the specific outgoing port used by dnsmasq for forwarding requests. The fixed port characteristic eliminates the randomness that would normally be expected in such network communications, making it significantly easier for an attacker to craft malicious responses that can be accepted by the vulnerable system. The transmission ID guessing aspect compounds this vulnerability, as DNS protocol normally relies on these IDs to correlate requests with responses, but the predictable nature of these IDs in vulnerable versions allows attackers to forge legitimate-looking responses.
From an operational perspective, this vulnerability presents a severe threat to data integrity within DNS resolution systems. The ease with which an attacker can perform DNS cache poisoning attacks through this flaw means that compromised DNS responses can be injected into the cache, potentially redirecting users to malicious websites or intercepting sensitive communications. The impact extends beyond simple redirection attacks to include potential man-in-the-middle scenarios where attackers can manipulate DNS responses to compromise network security. This vulnerability particularly affects environments where dnsmasq serves as a forwarder for DNS queries, making it a critical concern for network infrastructure administrators who rely on this software for DNS resolution services.
The vulnerability aligns with CWE-200, which addresses information exposure, and CWE-352, which covers cross-site request forgery, as the predictable port and transmission ID patterns create information exposure that enables unauthorized manipulation of DNS responses. From an ATT&CK framework perspective, this vulnerability maps to T1071.004 for application layer protocol usage and T1566 for credential access through social engineering, as the ability to poison DNS caches can lead to credential interception and further compromise. Organizations should immediately upgrade to dnsmasq version 2.85 or later to remediate this vulnerability, implement network segmentation to limit access to dnsmasq systems, and consider deploying DNS security extensions such as DNSSEC to provide additional protection against cache poisoning attacks. Network monitoring should be enhanced to detect anomalous DNS traffic patterns that might indicate exploitation attempts.