Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues handling DNSSEC and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on the target device and perform cache poisoning attacks against the target environment.
These vulnerabilities are also tracked as ICS-VU-668462 and referred to as DNSpooq.
JSOF reported multiple buffer overflow vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.
JSOF also reported vulnerabilities in DNS response validation.
OpenWrt ships the following package variants of dnsmasq:
CVE-2020-25684 and CVE-2020-25686 are affecting all dnsmasq package variants. CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685 and CVE-2020-25687 are related to DNSSEC problems in dnsmasq and are only affecting the dnsmasq-full package and not dnsmasq and dnsmasq-dhcpv6 variants.
The buffer overflow vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache resulting in redirection of users to malicious sites.
You need to update the affected dnsmasq package variant you're using with the command below.
opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)
Then verify, that you're running fixed version.
opkg list-installed dnsmasq*
The above command should output following:
dnsmasq - 2.80-16.2 - for stable 19.07 release dnsmasq - 2.83-1 - for master/snapshot
The fix is contained in the following and later versions:
If upgrading is not possible, it is possible to mitigate some of the issues through configuration changes. Note that these settings may have unintended side-effects.
Mitigation for DNS cache poisoning is disabling of caching:
uci set dhcp.@dnsmasq[0].cachesize='0'
Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:
uci set dhcp.@dnsmasq[0].dnssec='0'
Reduce the maximum of queries allowed to be forwarded from 150 to 50:
uci set dhcp.@dnsmasq[0].dnsforwardmax='50'
Then you should commit changes and restart dnsmasq:
uci commit dhcp /etc/init.d/dnsmasq restart
To our knowledge, OpenWrt version 19.07.0 to 19.07.5 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.6 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
Moshe Kol and Shlomi Oberman of JSOF researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Comcast, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their GitHub Security Advisory platform for collaboration.
Parts of this document were written by Vijay Sarvepalli (CERT/CC).