DNSpooq Vulnerabilities

DNSpooq Vulnerabilities

Researcher have disclosed multiple vulnerabilities dubbed collectively as DNSpooq that could allow attackers to conduct DNS cache poisoning and RCE attacks. (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)

Overview

DNSpooq Vulnerabilities: Multiple vulnerabilities that could result in DNS cache poisoning and Remote Code Execution (RCE) have been discovered by researchers. The vulnerabilities reside at the dnsmasq, popular DNS software used on millions of equipment.

The vulnerabilities have been disclosed by researchers from Israeli security company JSOF. Naming the vulnerabilities collectively as DNSpooq, the company shared the details on its official website.

Background

As being one of the fundamental protocols of the Internet, Domain Name System (DNS) translates human memorizable alphabetic names (URLs for the websites) into numeric Internet Protocol (IP) addresses.

DNSmasq (short for DNS masquerade) is a popular and lightweight DNS server with bundled software functionality for DHCP (Dynamic Host Configuration Protocol), TFTP (Trivial File Transfer Protocol), router advertisement etc. It is especially present in the firmware of a lot of home routers and IOT (Internet of Things) devices due to its low resource requirement.

Description

A total of 7 vulnerabilities that reside on DNSmasq have been disclosed. Three of these vulnerabilities (CVE-2020-25684, CVE-2020-25685, CVE-2020-25686) could allow an attacker conduct DNS cache poisoning attacks (forging DNS replies). The other four vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687) could lead to RCE attacks due to buffer overflow flaws in DNSmasq.

More than 40 vendors are thought to be affected by these vulnerabilities. AT&T, Cisco, Comcast, D-Link, Dell, Huawei, IBM, Juniper, Linksys, Motorola, Netgear, Qualcomm, Raspberry, Siemens, Xiaomi, ZTE, Zyxel are some of the well known of them to name among others.

Impact

Successful exploitation of the vulnerabilities CVE-2020-25684, CVE-2020-25685, CVE-2020-25686 could allow an attacker to forge DNS responses, leading users querying the poisoned resolver to be redirected to the IP addresses that the attacker choose. 

Impact Summary CVE-2020-25684

Category: Spoofing (DNS Poisoning)
CVSS 3.1 Base Score: 3.7 Low
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N


Impact Summary CVE-2020-25685

Category: Spoofing (DNS Poisoning)
CVSS 3.1 Base Score: 3.7 Low
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N


Impact Summary CVE-2020-25686

Category: Spoofing (DNS Poisoning)
CVSS 3.1 Base Score: 3.7 Low
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Successful exploitation of the vulnerabilities CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687 could allow an attacker to conduct Remote Code Execution (RCE) attacks due to existing buffer overflow flaws on the software. 

Impact Summary CVE-2020-25681

Category: Remote Code Execution (RCE)
CVSS 3.1 Base Score: 8.1 High
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H


Impact Summary CVE-2020-25682

Category: Remote Code Execution (RCE)
CVSS 3.1 Base Score: 8.1 High
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H


Impact Summary CVE-2020-25683

Category: Remote Code Execution (RCE)
CVSS 3.1 Base Score: 5.9 Medium
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


Impact Summary CVE-2020-25687

Category: Remote Code Execution (RCE)
CVSS 3.1 Base Score: 5.9 Medium
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Solution (Update)

To remediate against the DNSpooq vulnerabilities, dnsmasq needs to be upgraded version 2.83 or above. Note that, since dnsmasq comes bundled with the firmware of many IOT and router devices, full firmware updates/upgrades could be required on most devices.

Quote by Window Snyder
Quote by Window Snyder

One single vulnerability all an attacker needs.

Window Snyder

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about DNS based attacks, you could also read our article Is DNS Cache Poisoning Back with SAD DNS Attack?