Recently, information about the identified 7 vulnerabilities in the Dnsmasq package, which combines a cached DNS resolver and a DHCP server, which were assigned the codename DNSpooq. The problems allow rogue DNS cache attacks or buffer overflows that could lead to remote execution of an attacker's code.
Even though recently Dnsmasq is no longer used by default as a solver in regular Linux distributions, it is still used in Android and specialized distributions such as OpenWrt and DD-WRT, as well as firmware for wireless routers from many manufacturers. In normal distributions, the implicit use of dnsmasq is possible, for example when using libvirt, it can be started to provide DNS service on virtual machines or it can be activated by changing the settings in the NetworkManager configurator.
Since the wireless router upgrade culture leaves a lot to be desired, Researchers fear identified problems may remain unsolved for a long time and will be involved in automated attacks on routers to gain control over them or to redirect users to rogue malicious sites.
There are approximately 40 companies based on Dnsmasq, including Cisco, Comcast, Netgear, Ubiquiti, Siemens, Arista, Technicolor, Aruba, Wind River, Asus, AT&T, D-Link, Huawei, Juniper, Motorola, Synology, Xiaomi, ZTE, and Zyxel. Users of such devices can be warned not to use the regular DNS query redirection service provided on them.
The first part of the vulnerabilities discovered in Dnsmasq refers to protection against DNS cache poisoning attacks, based on a method proposed in 2008 by Dan Kaminsky.
Identified issues make existing protection ineffective and allow spoofing the IP address of an arbitrary domain in the cache. Kaminsky's method manipulates the negligible size of the DNS query ID field, which is only 16 bits.
To find the correct identifier needed to spoof the hostname, just send about 7.000 requests and simulate about 140.000 bogus responses. The attack boils down to sending a large number of fake IP-bound packets to the DNS resolver with different DNS transaction identifiers.
Identified vulnerabilities reduce 32-bit entropy level expected to need to guess 19 bits, which makes a cache poisoning attack quite realistic. Additionally, dnsmasq's handling of CNAME records allows it to spoof the chain of CNAME records to efficiently spoof up to 9 DNS records at a time.
- CVE-2020-25684: lack of validation of the request ID in combination with IP address and port number when processing DNS responses from external servers. This behavior is incompatible with RFC-5452, which requires additional request attributes to be used when matching a response.
- CVE-2020-25686: Lack of validation of pending requests with the same name, allowing the use of the birthday method to significantly reduce the number of attempts required to falsify a response. In combination with the CVE-2020-25684 vulnerability, this feature can significantly reduce the complexity of the attack.
- CVE-2020-25685: use of unreliable CRC32 hashing algorithm when verifying responses, in case of compilation without DNSSEC (SHA-1 is used with DNSSEC). The vulnerability could be used to significantly reduce the number of attempts by allowing you to exploit domains that have the same CRC32 hash as the target domain.
- The second set of problems (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, and CVE-2020-25687) is caused by errors that cause buffer overflows when processing certain external data.
- For vulnerabilities CVE-2020-25681 and CVE-2020-25682, it is possible to create exploits that could lead to code execution on the system.
Finally it is mentioned that vulnerabilities are addressed in Dnsmasq 2.83 update and as a workaround, it is recommended to disable DNSSEC and query caching using command line options.