HomePentest-Tools.com Logo

AVM FRITZ!Box DNS Rebinding Protection Bypass CVE-2020-26887

Severity
CVSSv3 Score
7.8
Vulnerability description

Multiple AVM FRITZ!Box devices are prone to a DNS rebinding protection bypass.

Risk description

FRITZ!Box router devices employ a protection mechanism against DNS rebinding attacks. If a DNS answer points to an IP address in the private network range of the router, the answer is suppressed. Suppose the FRITZ!Box routers DHCP server is in its default configuration and serves the private IP range of 192.168.178.1/24. If a DNS request is made by a connected device, which resolves to an IPv4 address in the configured private IP range (for example 192.168.178.20) an empty answer is returned. However, if instead the DNS answer contains an AAAA-record with the same private IP address in its IPv6 representation (::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS requests which resolve to the loopback address 127.0.0.1 or the special address 0.0.0.0 can be retrieved, too. The flaw allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism.

Recommendation

Update to AVM FRITZ!OS 7.20 / 7.21 or later.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Oct 23, 2020
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available