DNSpooq Flaws Allow DNS Hijacking of Millions of Devices


Seven flaws in open-source software Dnsmasq could allow DNS cache poisoning attacks and remote code execution.

Researchers have uncovered a set of flaws in dnsmasq, popular open-source software used for caching Domain Name System (DNS) responses for home and commercial routers and servers.

The set of seven flaws are comprised of buffer overflow issues and flaws allowing for DNS cache-poisoning attacks (also known as DNS spoofing). If exploited, these flaws could be chained together to allow remote code execution, denial of service and other attacks.

Researchers have labeled the set of vulnerabilities “DNSpooq,” a combination of DNS spoofing, the concept of “a spook spying on internet traffic,” and the “q” at the end of dnsmasq.

Supply-Chain Security: A 10-Point Audit

Click to Register – New Browser Tab Opens

“DNSpooq is a series of vulnerabilities found in the ubiquitous open-source software dnsmasq, demonstrating that DNS is still insecure, 13 years after the last major attack was described,” said researchers with the JSOF research lab, in a recent analysis.

Dnsmasq is installed on many home and commercial routers and servers in many organizations. The software’s storing of responses to previously asked DNS queries locally speeds up the DNS resolution process; however it has many other uses as well, including providing DNS services to support Wi-Fi hot-spots, enterprise guest networks, virtualization and ad blocking.

Researchers have identified at least 40 vendors who utilize dnsmasq in their products, including Cisco routers, Android phones, Aruba devices, Technicolor and Red Hat, as well as Siemens, Ubiquiti networks, Comcast and many others. In all, “millions” of devices are affected, they said.

DNS Cache Poisoning

Three of the flaws (CVE-2020-25686, CVE-2020-25684 and CVE-2020-25685) could enable DNS cache poisoning.

DNS cache poisoning is a type of attack that enables DNS queries to be subverted.  In a real-world situation, an attacker here could use unsolicited DNS responses to poison the DNS cache, convince unknowing internet browsers to a specially-crafted attacker-owned website, and then redirect them to malicious servers.

This could potentially lead to fraud and various other malicious attacks, if victims believe they are browsing to one website but are actually routed to another, said researchers. Other attacks could include phishing attacks or malware distribution.

“Traffic that might be subverted includes regular Internet browsing as well as other types of traffic, such as emails, SSH, remote desktop, RDP video and voice calls, software updates and so on,” said researchers.

Buffer Overflow

Researchers also shed light on four buffer-overflow vulnerabilities (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 and CVE-2020-25681) in dnsmasq. The memory-corruption flaws can be triggered by a remote attacker using crafted DNS responses. The attack can lead to denial of service, information exposure and potentially remote code execution.

While the majority of these flaws are heap-based buffer-overflow issues that could lead to denial of service, one of the flaws is a high-severity issue that could potentially enable remote code execution when dnsmasq is configured to use domain name system security extensions (DNSSEC), a set of protocols that add a layer of security to the domain name system.

“For the buffer overflows and remote-code execution, devices that don’t use the DNSSEC feature will be immune,” said researchers. “DNSSEC is a security feature meant to prevent cache poisoning attacks and so we would not recommend turning it off, but rather updating to the newest version of dnsmasq.”

Researchers said that the approximately 1 million dnsmasq servers openly visible on the internet (according to Shodan) make attacks launched via the internet “very simple,” and that there are several real-world scenarios that set up an attacker to exploit these flaws.

“This may be possible in some cases, (we believe rare), even if the forwarder is not open to the internet,” they said.

Also, if a dnsmasq server is only configured to listen to connections received from within an internal network – and an attacker gains a foothold on any device in that network – they would be able to perform the attack. Or, if a dnsmasq server is only configured to listen to connections received from within an internal network but the network is open (including an airport network or a corporate guest network) an attacker could perform the attack.

The Impact

The flaws have varying severity, with CVE-2020-25681 and CVE-2020-25682 being high severity. However, researchers said if these vulnerabilities were chained together they could lead to an array of multi-stage attacks.

“This is because exploiting some of the vulnerabilities makes it easier to exploit others,” said researchers. “For example, we found that combining CVE-2020-25682, CVE-2020-25684, and CVE-2020-25685 would result in CVE-2020-25682 having a lower attack complexity (with the same impact) and result in a combined CVSS of 9.8 according to our analysis.”

Researchers disclosed the flaws in August and publicly revealed them this month. These vulnerabilities are addressed in dnsmasq 2.83; users of internet-of-things (IoT) and embedded devices that use dnsmasq should contact their vendors for further information regarding updates.

“With the help of CERT/CC and volunteers from several companies, a working group was formed, combining the expertise and extended reach of members from JSOF, CERT/CC, Cisco, Google, Red Hat, Pi-hole and Simon Kelley, the maintainer of dnsmasq, to ensure that the DNSpooq vulnerabilities would be effectively fixed and well documented and communicated,” said researchers.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.

Suggested articles