Yesterday, seven Dnsmasq vulnerabilities were disclosed, collectively known as DNSPooq, that attackers can use to launch DNS Cache Poisoning, denial of service, and possibly remote code execution attacks, on affected devices.
Dnsmasq is a widely used open-source Domain Name System (DNS) forwarding application commonly installed on routers, operating systems, access points, and other networking equipment.
Vendors have started to release information on how customers can protect themselves from DNSPooq. To make it easier to find this information, BleepingComputer will be listing security advisories as they are released.
The related CVEs from JSOF's DNSpooq advisory are listed below, along with their descriptions.
Name | CVSS | Description |
---|---|---|
CVE-2020-25681 | 8.1 | Dnsmasq versions before 2.83are susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device’s memory that can lead to memory corruption and other unexpected behaviors on the target device. |
CVE-2020-25682 | 8.1 | Dnsmasq versions before 2.83 are susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. |
CVE-2020-25683 | 5.9 | Dnsmasq versions before 2.83 are susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a Denial of Service. |
CVE-2020-25687 | 5.9 | Dnsmasq versions before 2.83are vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. |
CVE-2020-25684 | 4 | A lack of proper address/port check implemented in dnsmasq versions |
CVE-2020-25685 | 4 | A lack of query resource name (RRNAME) checks implemented in dnsmasq’s versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. |
CVE-2020-25686 | 4 | Multiple DNS query requests for the same resource name (RRNAME) by dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. |
BleepingComputer suggests checking this page throughout the coming days to see if new information is available for devices you may be using.
For more detailed information about the DNSpooq vulnerabilities, you can read the articles below:
- DNSpooq bugs let attackers hijack DNS on millions of devices
- Official DNSPooq advisory from JSOF
- DNSPooq technical whitepaper from JSOF
- Dnsmasq is vulnerable to memory corruption and cache poisoning
Official Advisories, Notices, Patches, or Updates:
Below is a list of DNSPooq/dnsmasq advisories released by different vendors. The CERT Coordination Center is also maintaining a list of advisories shared with them.
If you are a vendor with an advisory or notice, please contact us to have your information added.
Last Updated: 01/20/21
Arista
Arista's advisory states that the DNSPooq vulnerabilities affect "all EOS products including the 7xxx and 7xx Series switches and routers, and all CloudEOS packaging options."
Arista has released updates that resolve the vulnerabilities and a hotfix if upgrading is not feasible at this time.
Cisco
Cisco released an advisory stating that 55 products and services are affected by the dnsmasq vulnerabilities. While updated software is already available for some products, many affected devices will not have fixes until February and March.
Users can find a full list of affected products and when patches will be available in the advisory.
DNSMasq
Simon Kelley, the maintainer of DNSpooq, has posted an advisory to the Dnsmasq-discuss mailing list. This advisory advises all dnsmasq users to upgrade to version 2.83 to resolve the vulnerabilities.
Their complete advisory is below.
"There are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc. The code is now as secure as it can be, given that the real solution to this is DNSSEC, both endpoint validation and domains actually signing. This is covered by CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686.
Unfortunately, given the above, the second set of errors is a good old fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an installation is at risk. This is covered by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687.
Many, many people have worked over a considerable period to find these problems, fix them, and co-ordinate the security response. They are named in JSOF's disclosure, but special mention should go to Shlomi Oberman, Vijay Sarvepilli, Petr Menšík, and Dan Schaper."
OpenWRT
OpenWRT has released an advisory explaining how you can upgrade your dnsmasq package to resolve the vulnerability using the following command:
opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)
More details on how to verify if the upgrade completed successfully can be found in the advisory.
The advisory also provides configuration-based mitigation if you are unable to upgrade your router at this time.
Netgear
Netgear has released an advisory stating that the following products are vulnerable to the DNSPooq dnsmaq vulnerabilities:
- RAX40 running firmware versions prior to v1.0.3.88
- RAX35 running firmware versions prior to v1.0.3.88
Netgear owners can download updated firmware for these products from the NETGEAR Support section.
Red Hat
Red Hat released an advisory today offering mitigation advice for various versions of Red Hat Enterprise Linux.
It is possible to mitigate the vulnerabilities in Red Hat 8.3 using dnsmasq configuration options. However, earlier versions require you to update the dnsmasq package.
Siemens
Siemens has released a security advisory that states the RuggedCom RM1224 and various Scalance versions are affected by the DNSPooq vulnerabilities.
Updates are not available yet, but Siemens has provided mitigations that can be applied to the devices to reduce the risk.
Sophos
Sophos' advisory states that their Sophos RED product is affected by the DNSPooq vulnerability. Sophos states that updated Sophos RED firmware for XG Firewall and SG UTM will be available soon.
Synology
Synology has released a security advisory stating that their DiskStation Manager (DSM) and Synology Router Manager (SRM) operating systems are only vulnerable to the DNSPooq DNS cache poisoning vulnerabilities (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686).
"None of Synology's products are affected by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687 as these vulnerabilities only affect when DNSSEC is compiled," Synology's advisory explains about the other vulnerabilities.
The vulnerabilities in SRM 1.2 are resolved in version 1.2.4-8081-2 or above. A fix is not available yet for DSM 6.2.
Ubuntu
Ubuntu has issued an advisory listing available packages for Ubuntu 16.04, 18.04, 20.04, and 20.10 that resolve the vulnerability.
It should be noted that "after a standard system update you need to reboot your computer to make all the necessary changes."
Comments
olavrb - 3 years ago
Synology: https://www.synology.com/en-ca/security/advisory/Synology_SA_21_01
Lawrence Abrams - 3 years ago
Thanks. Added
fromFirefoxToVivaldi - 3 years ago
Is it enough to select a DNS provider on system level assuming the system itself is patched?
Shplad - 3 years ago
For anyone interested, FreshTomato is including dnsmasq 2.83 in its current build (next release) and so should be much safer. I got this from one of the main developers.