Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)

Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues handling DNSSEC and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on the target device and perform cache poisoning attacks against the target environment.

These vulnerabilities are also tracked as ICS-VU-668462 and referred to as DNSpooq.

JSOF reported multiple buffer overflow vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.

• CVE-2020-25681 A heap-based buffer overflow in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data.
• CVE-2020-25682 A buffer overflow vulnerability in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data.
• CVE-2020-25683 A heap-based buffer overflow in get_rdata subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries.
• CVE-2020-25687 A heap-based buffer overflow in sort_rrset subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries.

JSOF also reported vulnerabilities in DNS response validation.

• CVE-2020-25684 Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses.
• CVE-2020-25685 Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses.
• CVE-2020-25686 Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to do a “Birthday Attack” scenario to forge replies and potentially poison the DNS cache.

OpenWrt ships the following package variants of dnsmasq:

• dnsmasq
• dnsmasq-dhcpv6
• dnsmasq-full

CVE-2020-25684 and CVE-2020-25686 are affecting all dnsmasq package variants. CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685 and CVE-2020-25687 are related to DNSSEC problems in dnsmasq and are only affecting the dnsmasq-full package and not dnsmasq and dnsmasq-dhcpv6 variants.

The buffer overflow vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache resulting in redirection of users to malicious sites.

You need to update the affected dnsmasq package variant you're using with the command below.

 opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)

Then verify, that you're running fixed version.

 opkg list-installed dnsmasq*

The above command should output following:

 dnsmasq - 2.80-16.2  - for stable 19.07 release
 dnsmasq - 2.83-1     - for master/snapshot

The fix is contained in the following and later versions:

• OpenWrt 19.07: 19.07.6 (fixed by v19.07.6-0-gb12284a14ce9)
• OpenWrt master: 2021-01-19 (fixed by reboot-15541-ge87c0d934c54)

If upgrading is not possible, it is possible to mitigate some of the issues through configuration changes. Note that these settings may have unintended side-effects.

Mitigation for DNS cache poisoning is disabling of caching:

 uci set dhcp.@dnsmasq[0].cachesize='0'

Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:

 uci set dhcp.@dnsmasq[0].dnssec='0'

Reduce the maximum of queries allowed to be forwarded from 150 to 50:

 uci set dhcp.@dnsmasq[0].dnsforwardmax='50'

Then you should commit changes and restart dnsmasq:

 uci commit dhcp
 /etc/init.d/dnsmasq restart

To our knowledge, OpenWrt version 19.07.0 to 19.07.5 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.6 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

Moshe Kol and Shlomi Oberman of JSOF researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Comcast, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their GitHub Security Advisory platform for collaboration.

Parts of this document were written by Vijay Sarvepalli (CERT/CC).

e87c0d934c54d0b07caef1db3af170510acf3cfa