www.belgium.be Logo of the federal government

DNSpooq - Dnsmasq vulnerabilities open networking devices & Linux distros to DNS cache poisoning

Reference: 
Advisory #2021-0002
Version: 
1.0
Affected software: 
dnsmasq versions 2.78 to 2.82
Type: 
DNS Cache poisoning, Buffer Overflow. Exploitable remotely/low skill level to exploit needed
CVE/CVSS: 
  • CVE-2020-25681: Buffer Overflow
  • CVE-2020-25682: Buffer Overflow
  • CVE-2020-25683: Buffer Overflow
  • CVE-2020-25684: TXID-Port Decoupling
  • CVE-2020-25685: Weak frec Identification
  • CVE-2020-25686: Multiple outstanding requests for the same name
  • CVE-2020-25687: Buffer Overflow
Date: 
20/01/2021

Sources

Official researchers: https://www.jsof-tech.com/disclosures/dnspooq/

Technical whitepaper: https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf

Risks

Successful exploitation of these seven vulnerabilities in the dnsmasq could result in cache poisoning, remote code execution, and a denial-of-service condition. All clients connecting to the Internet using infrastructure where a vulnerable version of dnsmasq is implemented, could be unknowingly browsing to malicious websites.

Description

Dnsmasq is one of the most popular caching DNS forwarders. Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices. Researchers have found 7 vulnerabilities in dnsmasq, 3 vulnerabilities enable cache poisoning and 4 other vulnerabilities allow buffer overflows.
 
The DNS (Domain Name System) uses a cache, the DNS cache, to translate domain names to IP addresses and should only contain legitimate information. DNS uses this caching mechanism to offload the Authoritative Name Servers. Cache poisoning is a classic attack which allows an attacker to replace entries in the DNS cache with malicious ones.
 
If an instance of dnsmasq is reachable via the Internet, it is vulnerable to DNS cache poisoning, but the vulnerability can also be exploited from the Local Area Network (LAN). Unfortunately, the researchers found 1 Million vulnerable instances on the Internet (research from September 2020). The only requirements to exploit the Cache poisoning vulnerabilities is to have a server on the Internet with a DNS domain name linked to it, and has the ability to sent spoofed source IP packets. The researchers have demonstrated that these requirements are easily reachable.
 
Buffer overflow vulnerabilities allow for Remote Code Execution, effectively, rendering DNSSEC objectives useless.

Recommended Actions

- CERT.be recommends users update to the latest version (2.83 or above).
- CERT.be recommends to implement Layer 2 security features such as DHCP snooping and IP source guard.
- CERT.be recommends to use DNS-over-HTTPS or DNS-over-TLS to connect to upstream server
- CERT.be recommends temporarily disable DNSSEC validation option until you patch

Download the latest updates via: http://www.thekelleys.org.uk/dnsmasq/?C=M;O=D