DNSpooq Flaws Expose Millions of Devices to DNS Cache Poisoning, Other Attacks
Researchers at Israel-based boutique cybersecurity consultancy JSOF this week disclosed the details of seven potentially serious DNS-related vulnerabilities that could expose millions of devices to various types of attacks.
The vulnerabilities, collectively tracked as DNSpooq, impact Dnsmasq, a widely used piece of open source software designed to provide DNS, DHCP, router advertisement and network boot capabilities for small networks. Its DNS subsystem “provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types.”
The software is mainly written and maintained by Simon Kelley, who has informed users about the availability of patches. The vulnerability disclosure process began in August 2020 and several impacted vendors told customers that they are working on address the issues.
There are two types of DNSpooq vulnerabilities: buffer overflow bugs that can lead to remote code execution and DoS attacks (tracked as CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687); and DNS response validation issues that can be exploited for DNS cache poisoning (tracked as CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686).
The buffer overflow bugs, JSOF said, pose a limited risk on their own, but they can be highly useful if combined with the flaws that allow cache poisoning.
Launching a DNS cache poisoning attack against a device can allow an attacker to redirect users to arbitrary websites, and intercept traffic associated with email, SSH, remote desktop, communications and other types of systems. An attacker could also take complete control of a targeted device using the DNSpooq vulnerabilities.
“Combining the vulnerabilities found by JSOF with other recently-disclosed network attacks could potentially lead to much easier and more widespread attack possibilities, an area of research which can be explored further,” JSOF said. “This includes vulnerabilities such as NAT-slipstreaming, found by Samy Kamkar, SAD DNS, found by researchers at University of California Riverside, and the lack of destination-side source address validation as found by researchers at Brigham Young University, as well as other academic research on DNS.”
According to JSOF, malicious actors could easily exploit the DNSpooq vulnerabilities directly from the internet as there are roughly one million Dnsmasq servers exposed to the web. The flaws can also be exploited by an attacker who is on the same network as the targeted system, or through web browsers. However, JSOF noted that browser-based attacks are not easy to conduct and they only work against some browsers — exploitation has been confirmed to work against Safari on an iPhone, but it does not appear to work against Chrome.
Red Hat explained that DNS cache poisoning attacks can be conducted against clients that use Dnsmasq as a DNS server, and involves providing them incorrect name resolutions for poisoned entries. Exploitation of the memory corruption bugs involves “the collaboration of a dnsmasq client or other ways to make a client start a series of DNS queries to dnsmasq for an attacker-controlled domain.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to warn organizations about the risks posed by the DNSpooq vulnerabilities.
An advisory issued on Tuesday by the CERT Coordination Center at Carnegie Mellon University lists hundreds of vendors that may be impacted, and over a dozen companies have confirmed that — at least to some extent — their products are affected.
Sophos has published an advisory informing customers that the vulnerabilities only appear to impact its Sophos Remote Ethernet Device (RED) appliance.
Cisco has released a long list of products impacted by the security flaws and says it’s working on developing patches. The networking giant noted that none of its products are affected by the memory corruption bugs that can lead to remote code execution and DoS attacks.
Siemens, on the other hand, says its SCALANCE and RUGGEDCOM industrial devices are impacted only by the three security holes that can be exploited for DNS cache poisoning. The German industrial giant is working on patches and, in the meantime, it has shared some workarounds and mitigations.
The OpenWrt Project, the developer of the popular Linux operating system for embedded devices, also issued an advisory, telling users that OpenWrt versions 19.07.0 through 19.07.5 are affected. Fixes will be included in the upcoming 19.07.6 release.
Red Hat says the vulnerabilities impact Red Hat Enterprise Linux 8 (non-default configuration), as well as Enterprise Linux 6, 7 and 8. Red Hat OpenStack Platform 10 and 13, and Red Hat Virtualization 4.3 and 4.4 may also be affected.