Multiple Vulnerabilities in Dnsmasq

Published on 21 Jan 2021

Updated on 21 Jan 2021

Security researchers have discovered seven vulnerabilities in dnsmasq software, collectively code-named as "DNSpooq". Most of them are exploitable remotely on the affected dnsmasq versions prior to version 2.83. These vulnerabilities are divided into two categories:

 

DNS Cache Poisoning Vulnerabilities

  • CVE-2020-25686 - Multiple DNS query requests for the same resource name (RRNAME) by dnsmasq versions prior to version 2.83 allows remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452) that can lead to DNS cache poisoning
  • CVE-2020-25684 - Lack of proper address/port checks implemented in dnsmasq versions prior to version 2.83 reply_query function makes it easier to forge replies to an off-path attacker
  • CVE-2020-25685 - Lack of query resource name (RRNAME) checks implemented in dnsmasq’s versions prior to version 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning

The first category of vulnerabilities reduces the entropy of identifiers TXID (Transaction ID) and source port, which makes it easier for attackers to guess a valid DNS reply with a correct combination of port and TXID. This allows attackers to place malicious entries in the DNS server cache and redirect traffic to their server instead of the legitimate server.

 

Buffer Overflow Vulnerabilities

  • CVE-2020-25687 - Lack of length checks implemented in dnsmasq’s versions prior to version 2.83 extract_name function allow remote attackers to execute large memcpy with a negative size in sort_rrset function that can lead to denial-of-service
  • CVE-2020-25683 - Lack of length checks implemented in dnsmasq’s versions prior to version 2.83 extract_name function allow remote attackers to execute large memcpy with a negative size in get_rdata function that can lead to denial-of-service
  • CVE-2020-25682 - Missing length check in dnsmasq’s versions prior to version 2.83 extract_name function allows remote attackers to write arbitrary data in a heap-allocated memory, resulting in code execution
  • CVE-2020-25681: Missing length check in dnsmasq’s versions prior to version 2.83 sort_rrset function allows remote attackers to write arbitrary data in a heap-allocated memory, resulting in code execution

The second category of vulnerabilities require DNSSEC to be enabled and can be triggered before the validation of the received DNS entries, allowing potential attackers to send crafted DNS replies which would result in heap-based buffer overflows.

Administrators and users are advised to update dnsmasq software to the latest version (2.83 or above).

 

More information is available at:

https://www.jsof-tech.com/disclosures/dnspooq/

https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf

https://us-cert.cisa.gov/ics/advisories/icsa-21-019-01

http://www.thekelleys.org.uk/dnsmasq/doc.html