Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities

Petr Štetiar ynezz at true.cz
Tue Jan 19 16:14:31 EST 2021 

DESCRIPTION

Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues
handling DNSSEC and a second set of issues validating DNS responses. These
vulnerabilities could allow an attacker to corrupt memory on the target device
and perform cache poisoning attacks against the target environment.

These vulnerabilities are also tracked as ICS-VU-668462 and referred to as
DNSpooq[1]. You can find the latest version of this advisory on our wiki[2].

JSOF reported multiple buffer overflow vulnerabilities in dnsmasq due to
boundary checking errors in DNSSEC handling code.

  * CVE-2020-25681 A heap-based buffer overflow in dnsmasq in the way it sorts
    RRSets before validating them with DNSSEC data.

  * CVE-2020-25682 A buffer overflow vulnerability in the way dnsmasq extract
    names from DNS packets before validating them with DNSSEC data.

  * CVE-2020-25683 A heap-based buffer overflow in get_rdata subroutine of
    dnsmasq, when DNSSEC is enabled and before it validates the received DNS
    entries.

  * CVE-2020-25687 A heap-based buffer overflow in sort_rrset subroutine of
    dnsmasq, when DNSSEC is enabled and before it validates the received DNS
    entries.

JSOF also reported vulnerabilities in DNS response validation.

  * CVE-2020-25684 Dnsmasq does not validate the combination of address/port
    and the query-id fields of DNS request when accepting DNS responses.

  * CVE-2020-25685 Dnsmasq uses a weak hashing algorithm (CRC32) when compiled
    without DNSSEC to validate DNS responses.

  * CVE-2020-25686 Dnsmasq does not check for an existing pending request for
    the same name and forwards a new request thus allowing an attacker to do a
    "Birthday Attack" scenario to forge replies and potentially poison the DNS
    cache.

OpenWrt ships the following package variants of dnsmasq:

  * dnsmasq
  * dnsmasq-dhcpv6
  * dnsmasq-full

CVE-2020-25684 and CVE-2020-25686 are affecting all dnsmasq package variants.
CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685 and
CVE-2020-25687 are related to DNSSEC problems in dnsmasq and are only
affceting the dnsmasq-full package and not dnsmasq and dnsmasq-dhcpv6
variants.


REQUIREMENTS

The buffer overflow vulnerabilities can be triggered by a remote attacker
using crafted DNS responses that can lead to denial of service, information
exposure and potentially remote code execution. The DNS response validation
vulnerabilities allow an attacker to use unsolicited DNS responses to poison
the DNS cache resulting in redirection of users to malicious sites.


MITIGATIONS

 1. Configuration based mitigation

  Mitigation for DNS cache poisoning is disabling of caching:

     uci set dhcp. at dnsmasq[0].cachesize='0'

  Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:

     uci set dhcp. at dnsmasq[0].dnssec='0'

  Reduce the maximum of queries allowed to be forwarded from 150 to 50:

     uci set dhcp. at dnsmasq[0].dnsforwardmax='50'

  Then you should commit changes and restart dnsmasq:

     uci commit dhcp
     /etc/init.d/dnsmasq restart

 2. Package upgrade

  You need to update the affected dnsmasq package variant you're using with the
  command below.

    opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)

  Then verify, that you're running fixed version.

    opkg list-installed dnsmasq*

  The above command should output following:

    dnsmasq - 2.80-16.2  - for stable 19.07 release
    dnsmasq - 2.83-1     - for master/snapshot

The fix is contained in the following and later versions:

  * OpenWrt master: 2021-01-19 reboot-15541-ge87c0d934c54
  * OpenWrt 19.07:  2021-01-19 v19.07.6-0-gb12284a14ce9


AFFECTED VERSIONS

To our knowledge, OpenWrt version 19.07.0 to 19.07.5 are affected.  The fixed
packages will be integrated in the upcoming OpenWrt 19.07.6 release.  Older
versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end
of life and not supported any more.


CREDITS

Moshe Kol and Shlomi Oberman of JSOF researched and reported these
vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with
collaborative vendors (Cisco, Comcast, Google, Pi-Hole, Redhat) to develop
patches to address these security vulnerabilities. GitHub also supported these
collaboration efforts providing support to use their GitHub Security Advisory
platform for collaboration.

Parts of this document were written by Vijay Sarvepalli (CERT/CC).


REFERENCES

1. https://www.jsof-tech.com/disclosures/dnspooq/
2. https://openwrt.org/advisory/2021-01-19-1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210119/d5d8fb15/attachment.sig>

More information about the openwrt-devel mailing list