Vendors and major Linux distributors who use an open-source DNS forwarding software named Dnsmasq in their products may be at risk of endangering the DNS integrity of parts of the web. JSOF research lab recently reported a set of seven vulnerabilities in Dnsmasq, collectively known as DNSpooq.

Diving deeper into DNSpooq

The set of seven DNSpooq vulnerabilities can be further subdivided into DNS cache poisoning vulnerabilities and buffer overflow vulnerabilities.
  • The DNS cache poisoning vulnerabilities, tracked as CVE-2020-25686, CVE-2020-25684, and CVE-2020-25685, could let threat actors replace legitimate DNS records on a device with ones of their choosing.
  • The buffer overflow vulnerabilities, tracked as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, and CVE-2020-25681, could let attackers remotely execute arbitrary code on vulnerable networking equipment when Dnsmasq is configured to use DNSSEC.
  • In addition, there are some hypothetical attack scenarios such as massive JavaScript-fueled DDoS, reverse DDoS, and wormable attacks in the case of mobile devices that switch networks regularly.
  • The long and varied list of impacted vendors includes forty well-known brand names, including Asus, AT&T, Google, Comcast, Cisco, Redhat, HPE, Juniper, and Ubiquiti.

Recent DNS-based threats

  • In December, cross-layer attacks using the Linux kernel’s pseudo-random number generator bug (CVE-2020-16166) was risking the users against DNS cache poisoning attacks.
  • In November, Side-channel AttackeD DNS attack led to a revival of DNS cache poisoning attacks due to a bug (CVE-2020-25705) rendering public DNS resolvers.

The bottom line

Approximately one million Dnsmasq servers are openly available on the internet, according to data from Shodan. The exploitation of the DNSpooq vulnerabilities does not require any unusual techniques or tools. According to experts, the best mitigation is to update Dnsmasq to version 2.83 or above.

Cyware Publisher