Vulnerabilities in Dnsmasq Allow DNS Cache Poisoning Attack

Specialists of the Israeli information security company JSOF have discovered a number of vulnerabilities in the popular Dnsmasq software that allow DNS cache poisoning attacks and remotely execute arbitrary code.

Dnsmasq (short for DNS masquerade) is a lightweight open source DNS response caching program. With its DNS forwarding feature, it caches DNS records locally, thereby reducing the load on upstream DNS servers and improving performance. According to the JSOF, as of September 2020, there were about 1 million vulnerable Dnsmasq installations on Android devices, routers and other network devices from Cisco, Aruba, Technicolor, Redhat, Siemens, Ubiquiti, and Comcast.

In total, the researchers identified seven vulnerabilities in the Dnsmasq software, collectively known as DNSpooq.

“We found that Dnsmasq is vulnerable to DNS cache poisoning attacks that can be carried out by an out-of-path attacker (that is, an attacker who cannot see the connection between the forwarding DNS server and the (upstream) DNS server). Our attack allows multiple domain names to be poisoned at once and is the result of several vulnerabilities we discovered. The attack can be successfully completed in a few seconds or minutes and does not require special conditions. We also found that many Dnsmasq installations were misconfigured and listening on the WAN interface, allowing attacks to be launched directly from the Internet, ”the researchers said.

The DNS cache poisoning attacks described by JSOF are very similar to the SAD DNS attack using the vulnerabilities CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686, affecting versions of Dnsmasq from 2.78 to 2.82.

The other four issues identified by the researchers are buffer overflow vulnerabilities that allow arbitrary code to be remotely executed on a vulnerable device.

"The vulnerabilities themselves pose a limited risk, but they can become much more dangerous when combined with cache poisoning vulnerabilities to launch a powerful attack that allows remote code execution," the researchers explained.

To make matters worse, vulnerabilities can be linked to other network attacks such as SAD DNS and NAT Slipstreaming to stage multi-stage attacks on Dnsmasq resolvers listening on port 53. Even installations configured to only listen for connections from the internal network are at risk if a malicious the code will be transmitted through web browsers or other infected devices on the same network.

All vulnerabilities have been fixed in Dnsmasq 2.83, and users are strongly encouraged to install it to avoid possible cyber attacks.

Previous Post Next Post