DNSpooq lets attackers poison DNS cache records

[mood]

DNSpooq lets attackers poison DNS cache records

Network administrators urged to apply the latest Dnsmasq updates to prevent the new DNSpooq attacks.

 

Image: JSOF

 

Security experts have disclosed today details about seven vulnerabilities impacting a popular DNS software package that is commonly deployed in networking equipment, such as routers and access points.

 

The vulnerabilities tracked as DNSpooq, impact Dnsmasq, a DNS forwarding client for *NIX-based operating systems.

 

Dnsmasq is usually included inside the firmware of various networking devices to provide DNS forwarding capabilities by taking DNS requests made by local users, forwarding the request to an upstream DNS server, and then caching the results once they arrive, making the same results readily available for other clients without needing to make a new DNS query upstream.

 

While their role seems banal and insignificant, they play a crucial role in accelerating internet speeds by avoiding recursive traffic.

 

Today, the DNSpooq software has made its way in millions of devices sold worldwide, such as Cisco devices, Android smartphones, and all sorts of networking gear like routers, access points, firewalls, and VPNs from companies like ZTE, Aruba, Redhat, Belden, Ubiquiti, D-Link, Huawei, Linksys, Zyxel, Juniper, Netgear, HPE, IBM, Siemens, Xiaomi, and others.

HOW DNSPOOQ WORKS

The DNSpooq vulnerabilities, disclosed today by security experts from JSOF, are dangerous because they can be combined to poison DNS cache entries recorded by Dnsmasq servers.

 

Poisoning DNS cache records is a big problem for network administrators because it allows attackers to redirect users to clones of legitimate websites.

 

For example, if a threat actor can abuse a DNSpooq attack to poison DNS cache entries for gmail.com on a company's Cisco router, they can redirect all that company's employees to a Gmail phishing page while the browser shows the legitimate gmail.com address in their browsers.

 

In total, seven DNSpooq vulnerabilities have been disclosed today. Four are buffer overflows in the Dnsmasq code that can lead to remote code execution scenarios, while the other three bugs allow DNS cache poisoning.

 

 

DNSPOOQ ARE EASY TO PULL OFF, BUT NOISY ATTACKS

On their own, the danger from each is limited, but researchers argue they can be combined to attack any device with older versions of the Dnsmasq software.

 

Attacks can be carried out quite easily against Dnsmasq installations directly exposed on the internet, but the JSOF team warns that devices on internal networks are also at risk if attackers relay the attack code via browsers or other (compromised) devices on the same network.

 

 

The attacks might sound hard to execute, but in an interview with ZDNet on Monday, Shlomi Oberman, chief executive officer at JSOF, said it was the contrary.

"DNSspooq cache poisoning vulnerabilities are not hard to pull off and are the type of vulnerabilities that, in our opinion, could be easily automated and used by botnets, malvertisers, phisers, and that merry bunch," Oberman said.

"The main challenge for someone exploiting these vulnerabilities on a large scale is that they are quite noisy so they will probably be noticed by ISPs and other companies with wide visibility to internet traffic," the JSOF CEO told ZDNet.

 

Oberman added that the attacks also require sending many DNS packets to a targeted device, which also takes a lot of time, and, in addition, also requires that attackers have access to adequate attack infrastructure.

 

Nonetheless, these are not prohibitive requirements, and the JSOF exec believes the DNSpooq attack is well in the reach of both cybercrime gangs and nation-state (APT) groups alike.

PATCHES ROLLING OUT EVERYWHERE

The easiest way to prevent any of these attacks would be to apply the security updates that will be released later today by the Dnsmasq project.

 

However, many of these Dnsmasq DNS forwarding clients are included inside the firmware of other products, where end consumers can't reach in and update just one single library.

 

Oberman, whose company previously also discovered, disclosed, and helped patch the wide-reaching Ripple20 vulnerabilities, has taken a similar approach this time as well.

 

The JSOF exec told ZDNet that his company has worked with both the Dnsmasq project author and multiple industry partners to make sure patches were made available to device vendors by today's public disclosure.

"The disclosure process included forming a task group composed of security and engineering representatives from Cisco, Google, Red-Hat, Pi Hole, CERT/CC, Simon Kelley (Dnsmasq maintainer), and JSOF," Oberman told us.

"The task force engaged on how to record the vulnerabilities, how to communicate them, and also suggested several different patches. There are now patches available under embargo, both as a new version and as backported patches," he added.

 

CERT/CC and ICS-CERT also helped coordinate disclosing the DNSpooq attacks to other vendors not included in the original task force. While some vendors might be late with integrating the patches, most vendors have been notified by now about the seven vulnerabilities and their need to eventually deploy patches to all affected products. A list of affected vendors, products, and patches (if available), are listed on the official DNSpooq website.

END-USERS HAVE THEIR OWN COUNTERMEASURES

But for end consumers, determining which vendor deployed DNSpooq patches will most likely be an impossible feat, even for those with advanced technical skills.

 

Chasing down CVE identifiers for the seven DNSpooq vulnerabilities in device firmware changelogs is a complex feat even for security professionals and software engineers, let alone the average Joe.

 

Oberman says that these users can protect themselves against DNSpooq-vulnerable devices on their network through two methods.

"A good workaround would be to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)," Oberman said.

"Another option would be to statically configure a trusted DNS server, like Cloudflare or Google DNS servers, so that DNS requests are not handled by the home router and go directly to the [remote] DNS server.

 

"Both these options require some technical understanding, but are simple enough for many users to carry out," Oberman told us.

 

 

Source: DNSpooq lets attackers poison DNS cache records

[mood]

List of DNSpooq vulnerability advisories, patches, and updates

 

 

Yesterday, seven Dnsmasq vulnerabilities were disclosed, collectively known as DNSPooq, that attackers can use to launch DNS Cache Poisoning, denial of service, and possibly remote code execution attacks, on affected devices.

 

Dnsmasq is a widely used open-source Domain Name System (DNS) forwarding application commonly installed on routers, operating systems, access points, and other networking equipment. 

 

Vendors have started to release information on how customers can protect themselves from DNSPooq. To make it easier to find this information, BleepingComputer will be listing security advisories as they are released. 

 

The related CVEs from JSOF's DNSpooq advisory are listed below, along with their descriptions.

 

Name	CVSS	Description
CVE-2020-25681	8.1	Dnsmasq versions before 2.83are susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device’s memory that can lead to memory corruption and other unexpected behaviors on the target device.
CVE-2020-25682	8.1	Dnsmasq versions before 2.83 are susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device.
CVE-2020-25683	5.9	Dnsmasq versions before 2.83 are susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a Denial of Service.
CVE-2020-25687	5.9	Dnsmasq versions before 2.83are vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service.
CVE-2020-25684	4	A lack of proper address/port check implemented in dnsmasq versions
CVE-2020-25685	4	A lack of query resource name (RRNAME) checks implemented in dnsmasq’s versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning.
CVE-2020-25686	4	Multiple DNS query requests for the same resource name (RRNAME) by dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning.

 

BleepingComputer suggests checking this page throughout the coming days to see if new information is available for devices you may be using.

 

For more detailed information about the DNSpooq vulnerabilities, you can read the articles below:

• DNSpooq bugs let attackers hijack DNS on millions of devices
• Official DNSPooq advisory from JSOF
• DNSPooq technical whitepaper from JSOF
• Dnsmasq is vulnerable to memory corruption and cache poisoning

Official Advisories, Notices, Patches, or Updates:

Below is a list of DNSPooq/dnsmasq advisories released by different vendors. The CERT Coordination Center is also maintaining a list of advisories shared with them.

 

If you are a vendor with an advisory or notice, please contact us to have your information added. 

 

Last Updated: 01/20/21

Arista

Arista's advisory states that the DNSPooq vulnerabilities affect "all EOS products including the 7xxx and 7xx Series switches and routers, and all CloudEOS packaging options."

 

Arista has released updates that resolve the vulnerabilities and a hotfix if upgrading is not feasible at this time.

Cisco

Cisco released an advisory stating that 55 products and services are affected by the dnsmasq vulnerabilities.  While updated software is already available for some products, many affected devices will not have fixes until February and March.

 

Users can find a full list of affected products and when patches will be available in the advisory.

DNSMasq

Simon Kelley, the maintainer of DNSpooq, has posted an advisory to the Dnsmasq-discuss mailing list. This advisory advises all dnsmasq users to upgrade to version 2.83 to resolve the vulnerabilities.

 

Their complete advisory is below.

"There are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc. The code is now as secure as it can be, given that the real solution to this is DNSSEC, both endpoint validation and domains actually signing. This is covered by CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686.

 

Unfortunately, given the above, the second set of errors is a good old fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an installation is at risk. This is covered by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687.

 

Many, many people have worked over a considerable period to find these problems, fix them, and co-ordinate the security response. They are named in JSOF's disclosure, but special mention should go to Shlomi Oberman, Vijay Sarvepilli, Petr Menšík, and Dan Schaper."

OpenWRT

OpenWRT has released an advisory explaining how you can upgrade your dnsmasq package to resolve the vulnerability using the following command:

opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)

More details on how to verify if the upgrade completed successfully can be found in the advisory.

 

The advisory also provides configuration-based mitigation if you are unable to upgrade your router at this time.

Netgear

Netgear has released an advisory stating that the following products are vulnerable to the DNSPooq dnsmaq vulnerabilities:

• RAX40 running firmware versions prior to v1.0.3.88
• RAX35 running firmware versions prior to v1.0.3.88

Netgear owners can download updated firmware for these products from the NETGEAR Support section.

Red Hat

Red Hat released an advisory today offering mitigation advice for various versions of Red Hat Enterprise Linux. 

 

It is possible to mitigate the vulnerabilities in Red Hat 8.3 using dnsmasq configuration options. However, earlier versions require you to update the dnsmasq package.

Siemens

Siemens has released a security advisory that states the RuggedCom RM1224 and various Scalance versions are affected by the DNSPooq vulnerabilities.

 

Updates are not available yet, but Siemens has provided mitigations that can be applied to the devices to reduce the risk.

Sophos

Sophos' advisory states that their Sophos RED product is affected by the DNSPooq vulnerability. Sophos states that updated Sophos RED firmware for XG Firewall and SG UTM will be available soon.

Ubuntu

Ubuntu has issued an advisory listing available packages for Ubuntu 16.04, 18.04, 20.04, and 20.10 that resolve the vulnerability.

 

It should be noted that "after a standard system update you need to reboot your computer to make all the necessary changes."

 

 

Source: List of DNSpooq vulnerability advisories, patches, and updates

[mood]

DNSpooq bugs expose millions of devices to DNS cache poisoning

Security flaws in a widely used DNS software package could allow attackers to send users to malicious websites or to remotely hijack their devices

 

Millions of devices could be vulnerable to Domain Name System (DNS) cache poisoning and remote code execution attacks due to seven security flaws in dnsmasq, DNS forwarding and caching software commonly found in smartphones, desktops, servers, routers and other Internet of Things devices, according to Israel-based security company JSOF, which discovered the security holes.

 

Collectively dubbed DNSpooq, the vulnerabilities in the open-source utility affect a variety of devices and firmware, including those made by some of the world’s leading tech companies.

“Some of the DNSpooq vulnerabilities allow for DNS cache poisoning and one of the DNSpooq vulnerabilities could permit a potential Remote Code execution that could allow a takeover of many brands of home routers and other networking equipment, with millions of devices affected, and over a million instances directly exposed to the Internet,” warned JSOF. According to Shodan, there are almost 1.2 million dnsmasq servers exposed to the internet, with yet more vulnerable devices confined to internal networks but also at risk.

 

Researchers identified no fewer than 40 vendors that use dnsmasq in a wide range of products and in various pieces of firmware and software. The list includes big names such as Cisco, Asus AT&T, Comcast, Siemens, Dell, Linksys, Qualcomm, Motorola, and IBM, just to mention but a few. Whether and to what extent devices are affected depends on how they use dnsmasq. 

 

DNSpooq consists of seven vulnerabilities divided into two groups – three that could allow DNS cache poisoning attacks and four buffer overflow vulnerabilities, one of which could lead to remote code execution and device takeover.

 

 

“The impact of DNS cache poisoning of the routing equipment DNS forwarding server can potentially lead to different kinds of fraud if users believe they are browsing to one website but are actually routed to another,” the researchers said. They went on to add that each device susceptible to DNS cache poisoning might also be taken over by an attacker.

 

While on their own the security bugs present a limited risk, once chained and combined they could also be used to conduct Distributed Denial-of-Service (DDoS) attacks as well as wormable attacks that could spread malware between devices and networks.

 

Researchers disclosed the vulnerabilities in August 2020 and went public with their discovery after the embargo ended this month. While highlighting a number of workarounds in its technical whitepaper to DNSpooq, JSOF advised everybody to apply the best “antidote” – update to dnsmasq version 2.83. In the meantime, multiple vendors have released their respective advisories, mitigations, workarounds and patches, which are now neatly listed on the website of the CERT Coordination Center at Carnegie Mellon University. The Cybersecurity and Infrastructure Security Agency (CISA) also had some advice to share for organizations that use vulnerable products.

 

In June 2020, JSOF discovered and disclosed 19 security vulnerabilities that were collectively dubbed Ripple20 and were found to affect a popular TCP/IP software library used by millions of connected devices.

 

 

Source: DNSpooq bugs expose millions of devices to DNS cache poisoning