Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities
Petr Štetiar
ynezz at true.cz
Tue Jan 19 16:18:22 EST 2021
DESCRIPTION
Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues
handling DNSSEC and a second set of issues validating DNS responses. These
vulnerabilities could allow an attacker to corrupt memory on the target device
and perform cache poisoning attacks against the target environment.
These vulnerabilities are also tracked as ICS-VU-668462 and referred to as
DNSpooq[1]. You can find the latest version of this advisory on our wiki[2].
JSOF reported multiple buffer overflow vulnerabilities in dnsmasq due to
boundary checking errors in DNSSEC handling code.
* CVE-2020-25681 A heap-based buffer overflow in dnsmasq in the way it sorts
RRSets before validating them with DNSSEC data.
* CVE-2020-25682 A buffer overflow vulnerability in the way dnsmasq extract
names from DNS packets before validating them with DNSSEC data.
* CVE-2020-25683 A heap-based buffer overflow in get_rdata subroutine of
dnsmasq, when DNSSEC is enabled and before it validates the received DNS
entries.
* CVE-2020-25687 A heap-based buffer overflow in sort_rrset subroutine of
dnsmasq, when DNSSEC is enabled and before it validates the received DNS
entries.
JSOF also reported vulnerabilities in DNS response validation.
* CVE-2020-25684 Dnsmasq does not validate the combination of address/port
and the query-id fields of DNS request when accepting DNS responses.
* CVE-2020-25685 Dnsmasq uses a weak hashing algorithm (CRC32) when compiled
without DNSSEC to validate DNS responses.
* CVE-2020-25686 Dnsmasq does not check for an existing pending request for
the same name and forwards a new request thus allowing an attacker to do a
"Birthday Attack" scenario to forge replies and potentially poison the DNS
cache.
OpenWrt ships the following package variants of dnsmasq:
* dnsmasq
* dnsmasq-dhcpv6
* dnsmasq-full
CVE-2020-25684 and CVE-2020-25686 are affecting all dnsmasq package variants.
CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685 and
CVE-2020-25687 are related to DNSSEC problems in dnsmasq and are only
affceting the dnsmasq-full package and not dnsmasq and dnsmasq-dhcpv6
variants.
REQUIREMENTS
The buffer overflow vulnerabilities can be triggered by a remote attacker
using crafted DNS responses that can lead to denial of service, information
exposure and potentially remote code execution. The DNS response validation
vulnerabilities allow an attacker to use unsolicited DNS responses to poison
the DNS cache resulting in redirection of users to malicious sites.
MITIGATIONS
1. Configuration based mitigation
Mitigation for DNS cache poisoning is disabling of caching:
uci set dhcp. at dnsmasq[0].cachesize='0'
Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:
uci set dhcp. at dnsmasq[0].dnssec='0'
Reduce the maximum of queries allowed to be forwarded from 150 to 50:
uci set dhcp. at dnsmasq[0].dnsforwardmax='50'
Then you should commit changes and restart dnsmasq:
uci commit dhcp
/etc/init.d/dnsmasq restart
2. Package upgrade
You need to update the affected dnsmasq package variant you're using with the
command below.
opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)
Then verify, that you're running fixed version.
opkg list-installed dnsmasq*
The above command should output following:
dnsmasq - 2.80-16.2 - for stable 19.07 release
dnsmasq - 2.83-1 - for master/snapshot
The fix is contained in the following and later versions:
* OpenWrt master: 2021-01-19 reboot-15541-ge87c0d934c54
* OpenWrt 19.07: 2021-01-19 v19.07.6-0-gb12284a14ce9
AFFECTED VERSIONS
To our knowledge, OpenWrt version 19.07.0 to 19.07.5 are affected. The fixed
packages will be integrated in the upcoming OpenWrt 19.07.6 release. Older
versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end
of life and not supported any more.
CREDITS
Moshe Kol and Shlomi Oberman of JSOF researched and reported these
vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with
collaborative vendors (Cisco, Comcast, Google, Pi-Hole, Redhat) to develop
patches to address these security vulnerabilities. GitHub also supported these
collaboration efforts providing support to use their GitHub Security Advisory
platform for collaboration.
Parts of this document were written by Vijay Sarvepalli (CERT/CC).
REFERENCES
1. https://www.jsof-tech.com/disclosures/dnspooq/
2. https://openwrt.org/advisory/2021-01-19-1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-announce/attachments/20210119/383a26a9/attachment.sig>
More information about the openwrt-announce
mailing list