Vulnerability   
Search   
    Search 191973 CVE descriptions
and 86218 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.108950
Category:General
Title:AVM FRITZ!Box DNS Rebinding Protection Bypass (CVE-2020-26887)
Summary:Multiple AVM FRITZ!Box devices are prone to a DNS rebinding protection bypass.
Description:Summary:
Multiple AVM FRITZ!Box devices are prone to a DNS rebinding protection bypass.

Vulnerability Insight:
FRITZ!Box router devices employ a protection mechanism against DNS rebinding
attacks. If a DNS answer points to an IP address in the private network range of the router, the answer is
suppressed. Suppose the FRITZ!Box routers DHCP server is in its default configuration and serves the private
IP range of 192.168.178.1/24. If a DNS request is made by a connected device, which resolves to an IPv4 address
in the configured private IP range (for example 192.168.178.20) an empty answer is returned. However, if
instead the DNS answer contains an AAAA-record with the same private IP address in its IPv6 representation
(::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS requests which resolve to the loopback
address 127.0.0.1 or the special address 0.0.0.0 can be retrieved, too.

Vulnerability Impact:
The flaw allows to resolve DNS answers that point to IP addresses in the
private local network, despite the DNS rebinding protection mechanism.

Affected Software/OS:
- AVM FRITZ!Box 6490 and 6590 running AVM FRITZ!OS before version 7.20

- Other AVM FRITZ!Box devices running AVM FRITZ!OS before version 7.21

Solution:
Update to AVM FRITZ!OS 7.20 / 7.21 or later.

CVSS Score:
4.6

CVSS Vector:
AV:L/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2020-26887
CopyrightCopyright (C) 2020 Greenbone Networks GmbH

This is only one of 86218 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2020 E-Soft Inc. All rights reserved.