DNSpooq: Seven Vulnerabilities disclosed in dnsmasq

Researchers from JSOF Research lab disclosed seven vulnerabilities in dnsmasq, a widely used network infrastructure application. The seven flaws were given the moniker “DNSpooq” by the JSOF team, a play on words as the vulnerabilities can allow for spying on network traffic. A whitepaper with in depth details from their research has been released and provides valuable insight to each of the seven CVEs.

The seven vulnerabilities are split among two types of vulnerabilities: DNS cache poisoning and buffer overflow. On their own, each flaw is relatively low impact, however they become a force multiplier when chained together. CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686 are DNS cache poisoning vulnerabilities, which can allow an attacker to inject a malicious DNS entry into the cache, which could be used to redirect network packets to a malicious server. This particular type of attack can be abused to re-route traffic including HTTP, SSH, remote desktop protocol and others.

CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687, the remaining four CVEs, are each buffer overflow vulnerabilities. While in some cases a buffer overflow can lead to remote code execution (RCE), the more common scenario in these cases would be a denial of service (DoS) attack.

The JSOF team outlines some possible attack scenarios and even highlights some hypothetical situations in which these flaws could be abused by attackers in their research. While some of the scenarios may be mitigated by specific configurations, the recommended course of action is to upgrade dnsmasq to version 2.83 or later. JSOF also noted in their research that they worked with CERT/CC and other entities to attempt to contact over 40 different vendors that may use dnsmasq in some of their software or hardware. A list of these vendors and which have responded can be found in an advisory from the CERT Coordination Center. 

For more information about these seven  vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.