DNSpooq Security Vulnerabilities Alert

by ·

Recently, JSOF issued a risk notice on dnsmasq, an open-source DNS forwarding software in common use.

DNSpooq is the collective name of the security vulnerabilities disclosed this time named by JSOF. The report mainly focuses on the vulnerabilities of dnsmasq. A total of 2 high-risk vulnerabilities, 2 medium-risk vulnerabilities, and 3 low-risk vulnerabilities are included.
There are multiple high-risk vulnerabilities in dnsmasq, which affect the normal provision of DNS services and cause the poisoning of DNS cache, causing the following consequences.

Vulnerability Detail

  • CVE-2020-25681: Heap-based buffer overflow with arbitrary overwrite
  • CVE-2020-25682: Heap-based buffer overflow with null bytes
  • CVE-2020-25683/7: Heap-based buffer overflow with large memcpy
  • CVE-2020-25684: TXID-Port Decoupling
  • CVE-2020-25685: Weak frec Identification
  • CVE-2020-25686: Multiple outstanding requests for the same name

Affected version

  • dnsmsaq: <2.83

Solution

Upgrade dnsmasq to 2.83. Please install and restart dnsmasq in time according to the release package manager.

Temporary repair suggestions

• Configure dnsmasq not to listen on WAN interfaces if unnecessary in your environment.

• Reduce the maximum queries allowed to be forwarded with the option –dns-forward-max=. The default is 150, but it could be lowered.

• Temporarily disable DNSSEC validation option until you get a patch.

• Use protocols that provide transport security for DNS (such as DoT or DoH). This will mitigate DNSpooq but may have other security and privacy implications. Consider your own setup, security goals, and risks before doing this.

• Reducing the maximum size of EDNS messages will likely mitigate some of the vulnerabilities. This, however, has not been tested and is against the recommendation of the relevant RFC5625.

Tags: