Login Sign Up

CVE-2020-36517

7.5 HIGH

📋 TL;DR

This vulnerability allows DNS operators to discover internal network resources through hardcoded DNS resolver configurations in Home Assistant systems. It affects Nabu Casa Home Assistant Operating System and Home Assistant Supervised installations. The information leak exposes internal network topology to external DNS providers.

💻 Affected Systems

Products:
  • Nabu Casa Home Assistant Operating System
  • Home Assistant Supervised
Versions: 2022.03
Operating Systems: Home Assistant OS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems using the default DNS resolver configuration that sends internal queries to external DNS servers.

📦 What is this software?

Home Assistant by Home Assistant

View all CVEs affecting Home Assistant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

DNS operators map internal network infrastructure, identify vulnerable internal services, and potentially facilitate lateral movement attacks.

🟠

Likely Case

DNS operators gain visibility into internal hostnames, IP addresses, and network structure, enabling reconnaissance for future attacks.

🟢

If Mitigated

Limited exposure with proper network segmentation and DNS configuration controls in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires DNS operator access to observe queries, which is inherent to DNS infrastructure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.04 and later

Vendor Advisory: https://github.com/home-assistant/plugin-dns/issues/50

Restart Required: Yes

Instructions:

1. Update Home Assistant OS to version 2022.04 or later. 2. Restart the system. 3. Verify DNS configuration respects local settings.

🔧 Temporary Workarounds

Configure Local DNS Resolver

linux

Set up a local DNS resolver to prevent internal queries from being sent to external DNS servers.

Edit DNS configuration to use local resolver IP addresses

🧯 If You Can't Patch

  • Implement network-level DNS filtering to block internal queries from reaching external DNS servers.
  • Use split-horizon DNS configuration to separate internal and external DNS resolution.

🔍 How to Verify

Check if Vulnerable:

Check if running Home Assistant OS version 2022.03 and verify DNS queries for internal resources are being sent to external DNS servers.

Check Version:

ha os info

Verify Fix Applied:

Confirm system is updated to 2022.04+ and internal DNS queries are resolved locally.

📡 Detection & Monitoring

Log Indicators:

  • DNS query logs showing internal hostnames being resolved by external DNS servers

Network Indicators:

  • Outbound DNS traffic containing internal domain names to public DNS servers

SIEM Query:

source="dns" AND query="*.local" AND dest_ip IN (8.8.8.8, 1.1.1.1, 9.9.9.9)

📊 Metadata

CVE ID: CVE-2020-36517
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-203
Published: March 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36517, you might also want to check these:

CVE-2024-23771 9.8

This vulnerability in darkhttpd allows remote attackers to bypass authentication via timing side-cha...

Same vulnerability type (CWE-203)
CVE-2019-25337 9.8

CVE-2019-25337 is a username enumeration vulnerability in ownCloud that allows remote attackers to d...

Same vulnerability type (CWE-203)
CVE-2024-25714 9.8

CVE-2024-25714 is a critical timing side-channel vulnerability in Rhonabwy's HMAC signature verifica...

Same vulnerability type (CWE-203)