Researchers have found multiple vulnerabilities allowing DNS hijacking, which they collectively named as DNSpooq. These vulnerabilities affect the popular DNS forwarder dnsmasq, thus making millions of websites vulnerable to cyber attack.
DNSpooq Vulnerabilities Discovered
Security researchers from the Israeli security firm JSOF have disclosed multiple vulnerabilities affecting the popular software dnsmasq. Dubbed “DNSpooq”, these vulnerabilities potentially affect numerous devices that use dnsmasq.
Dnsmasq is basically a dedicated software offering DNS caching, DHCP server, network boot, and other features needed for small network. This resourcefulness of dnsmasq has made it a popular tool commonly used in home routers and IoT. Also, it runs by default in many Linux distros.
As explained in the disclosure, the researchers found seven different bugs affecting this free, open-source software.
Exploiting three of these vulnerabilities (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) could allow DNS cache poisoning attacks. In this type of attack, an attacker exploits dnsmasq to redirect the incoming DNS requests to an organization or device to a malicious destination.
Besides, the other four vulnerabilities (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681) identified as buffer overflow bugs, could trigger dos and remote code execution attacks.
These vulnerabilities affect as many as 40 different vendors, including some popular names At&T, Cisco, Comcast, Netgear, Google (Android), Qualcomm, Ubiquiti Networks, and Zyxel.
Remediation And Possible Mitigations
For complete protection against the attacks through DNSpooq vulnerabilities, the researchers advise upgrading to the dnsmasq version 2.83 or above.
Whereas to prevent attacks via LAN, the following partial workarounds may help.
-Configure dnsmasq not to listen on WAN interfaces if unnecessary in your environment.
-Reduce the maximum queries allowed to be forwarded with the option –dns-forward-max=<queries>. The default is 150, but it could be lowered.
-Temporarily disable DNSSEC validation option until you get a patch.
-Use protocols that provide transport security for DNS (such as DoT or DoH). This will mitigate Dnspooq but may have other security and privacy implications. Consider your own setup, security goals, and risks before doing this.
-Reducing the maximum size of EDNS messages will likely mitigate some of the vulnerabilities. This, however, has not been tested and is against the recommendation of the relevant RFC5625
Technical information about these vulnerabilities is available in a detailed white paper.