Gap
Advanced
- Joined
- 14.09.20
- Messages
- 139
- Reaction score
- 1,119
- Points
- 93
In total, the researchers identified seven vulnerabilities in the Dnsmasq software, combined under the name DNSpooq.
Specialists of the Israeli information security company JSOF have discovered a number of vulnerabilities in the popular Dnsmasq software that allow the "DNS cache poisoning" attack and remotely execute arbitrary code.
Dnsmasq (short for DNS masquerade) is a lightweight, open-source program for caching DNS responses. Using the DNS forwarding feature, it caches DNS records locally, thereby reducing the load on the upstream DNS servers and improving performance. According to JSOF, as of September 2020, there were about 1 million vulnerable Dnsmasq installations on Android devices, routers, and other network devices from Cisco, Aruba, Technicolor, Redhat, Siemens, Ubiquiti, and Comcast.
In total, the researchers identified seven vulnerabilities in the Dnsmasq software, combined under the name DNSpooq.
"We found that Dnsmasq is vulnerable to DNS cache poisoning attacks, which can be carried out by an attacker who is out of the way (that is, an attacker who cannot see the connection between the redirecting DNS server and the (higher-ed.) DNS server). Our attack allows you to poison many domain names at once at the same time and is the result of several vulnerabilities we discovered. The attack can be successfully executed in a few seconds or minutes and does not require any special conditions. We also found that many Dnsmasq installations are incorrectly configured and listen to the WAN interface, which allows the attack to be carried out directly from the Internet, " the researchers reported.
The DNS cache poisoning attacks described by JSOF experts are very similar to the SAD DNS attack using vulnerabilities CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686, affecting versions of Dnsmasq from 2.78 to 2.82.
The other four problems discovered by the researchers are buffer overflow vulnerabilities and allow you to remotely execute arbitrary code on a vulnerable device.
"The vulnerabilities themselves pose a limited risk, but can become much more dangerous if they are combined with cache poisoning vulnerabilities to carry out a powerful attack that allows remote code execution," the researchers explained.
To make matters worse, the vulnerabilities can be linked to other network attacks, such as SAD DNS and NAT Slipstreaming, to organize multi-stage attacks on Dnsmasq resolvers listening on port 53. Even installations configured only to listen for connections from the internal network are at risk if malicious code is transmitted through web browsers or other infected devices on the same network.
All vulnerabilities have been fixed in Dnsmasq version 2.83, and users are strongly advised to install it to avoid possible cyber attacks.
Specialists of the Israeli information security company JSOF have discovered a number of vulnerabilities in the popular Dnsmasq software that allow the "DNS cache poisoning" attack and remotely execute arbitrary code.
Dnsmasq (short for DNS masquerade) is a lightweight, open-source program for caching DNS responses. Using the DNS forwarding feature, it caches DNS records locally, thereby reducing the load on the upstream DNS servers and improving performance. According to JSOF, as of September 2020, there were about 1 million vulnerable Dnsmasq installations on Android devices, routers, and other network devices from Cisco, Aruba, Technicolor, Redhat, Siemens, Ubiquiti, and Comcast.
In total, the researchers identified seven vulnerabilities in the Dnsmasq software, combined under the name DNSpooq.
"We found that Dnsmasq is vulnerable to DNS cache poisoning attacks, which can be carried out by an attacker who is out of the way (that is, an attacker who cannot see the connection between the redirecting DNS server and the (higher-ed.) DNS server). Our attack allows you to poison many domain names at once at the same time and is the result of several vulnerabilities we discovered. The attack can be successfully executed in a few seconds or minutes and does not require any special conditions. We also found that many Dnsmasq installations are incorrectly configured and listen to the WAN interface, which allows the attack to be carried out directly from the Internet, " the researchers reported.
The DNS cache poisoning attacks described by JSOF experts are very similar to the SAD DNS attack using vulnerabilities CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686, affecting versions of Dnsmasq from 2.78 to 2.82.
The other four problems discovered by the researchers are buffer overflow vulnerabilities and allow you to remotely execute arbitrary code on a vulnerable device.
"The vulnerabilities themselves pose a limited risk, but can become much more dangerous if they are combined with cache poisoning vulnerabilities to carry out a powerful attack that allows remote code execution," the researchers explained.
To make matters worse, the vulnerabilities can be linked to other network attacks, such as SAD DNS and NAT Slipstreaming, to organize multi-stage attacks on Dnsmasq resolvers listening on port 53. Even installations configured only to listen for connections from the internal network are at risk if malicious code is transmitted through web browsers or other infected devices on the same network.
All vulnerabilities have been fixed in Dnsmasq version 2.83, and users are strongly advised to install it to avoid possible cyber attacks.