How DNSpooq Attacks Could Poison DNS Cache Records (zdnet.com) 9
Earlier this week security experts disclosed details on seven vulnerabilities impacting Dnsmasq, "a popular DNS software package that is commonly deployed in networking equipment, such as routers and access points," reports ZDNet. "The vulnerabilities tracked as DNSpooq, impact Dnsmasq, a DNS forwarding client for *NIX-based operating systems."
Slashdot reader Joe2020 shared Help Net Security's quote from Shlomi Oberman, CEO and researcher at JSOF. "Some of the bigger users of Dnsmasq are Android/Google, Comcast, Cisco, Red Hat, Netgear, and Ubiquiti, but there are many more. All major Linux distributions offer Dnsmasq as a package, but some use it more than others, e.g., in OpenWRT it is used a lot, Red Hat use it as part of their virtualization platforms, Google uses it for Android hotspots (and maybe other things), while, for example Ubuntu just has it as an optional package."
More from ZDNet: Dnsmasq is usually included inside the firmware of various networking devices to provide DNS forwarding capabilities by taking DNS requests made by local users, forwarding the request to an upstream DNS server, and then caching the results once they arrive, making the same results readily available for other clients without needing to make a new DNS query upstream. While their role seems banal and insignificant, they play a crucial role in accelerating internet speeds by avoiding recursive traffic...
Today, the DNSpooq software has made its way in millions of devices sold worldwide [including] all sorts of networking gear like routers, access points, firewalls, and VPNs from companies like ZTE, Aruba, Redhat, Belden, Ubiquiti, D-Link, Huawei, Linksys, Zyxel, Juniper, Netgear, HPE, IBM, Siemens, Xiaomi, and others. The DNSpooq vulnerabilities, disclosed today by security experts from JSOF, are dangerous because they can be combined to poison DNS cache entries recorded by Dnsmasq servers. Poisoning DNS cache records is a big problem for network administrators because it allows attackers to redirect users to clones of legitimate websites...
In total, seven DNSpooq vulnerabilities have been disclosed today. Four are buffer overflows in the Dnsmasq code that can lead to remote code execution scenarios, while the other three bugs allow DNS cache poisoning. On their own, the danger from each is limited, but researchers argue they can be combined to attack any device with older versions of the Dnsmasq software...
The JSOF exec told ZDNet that his company has worked with both the Dnsmasq project author and multiple industry partners to make sure patches were made available to device vendors by Tuesday's public disclosure.
Slashdot reader Joe2020 shared Help Net Security's quote from Shlomi Oberman, CEO and researcher at JSOF. "Some of the bigger users of Dnsmasq are Android/Google, Comcast, Cisco, Red Hat, Netgear, and Ubiquiti, but there are many more. All major Linux distributions offer Dnsmasq as a package, but some use it more than others, e.g., in OpenWRT it is used a lot, Red Hat use it as part of their virtualization platforms, Google uses it for Android hotspots (and maybe other things), while, for example Ubuntu just has it as an optional package."
More from ZDNet: Dnsmasq is usually included inside the firmware of various networking devices to provide DNS forwarding capabilities by taking DNS requests made by local users, forwarding the request to an upstream DNS server, and then caching the results once they arrive, making the same results readily available for other clients without needing to make a new DNS query upstream. While their role seems banal and insignificant, they play a crucial role in accelerating internet speeds by avoiding recursive traffic...
Today, the DNSpooq software has made its way in millions of devices sold worldwide [including] all sorts of networking gear like routers, access points, firewalls, and VPNs from companies like ZTE, Aruba, Redhat, Belden, Ubiquiti, D-Link, Huawei, Linksys, Zyxel, Juniper, Netgear, HPE, IBM, Siemens, Xiaomi, and others. The DNSpooq vulnerabilities, disclosed today by security experts from JSOF, are dangerous because they can be combined to poison DNS cache entries recorded by Dnsmasq servers. Poisoning DNS cache records is a big problem for network administrators because it allows attackers to redirect users to clones of legitimate websites...
In total, seven DNSpooq vulnerabilities have been disclosed today. Four are buffer overflows in the Dnsmasq code that can lead to remote code execution scenarios, while the other three bugs allow DNS cache poisoning. On their own, the danger from each is limited, but researchers argue they can be combined to attack any device with older versions of the Dnsmasq software...
The JSOF exec told ZDNet that his company has worked with both the Dnsmasq project author and multiple industry partners to make sure patches were made available to device vendors by Tuesday's public disclosure.
OpenWRT as well? (Score:3)
The jsof-tech.com articlyuu mentions upgrading to DNSmasq 2.83 or above. My OpenWRT environment only updates to 2.80-16.2. Sigh.
That's the fixed version (Score:2)
https://forum.openwrt.org/t/se... [openwrt.org]
Also note that the default dnsmasq version used in OpenWRT does not have DNSSEC support built-in (but there is a version you can install that does).
*NIX? (Score:1)
I never understood how that's supposed to include Linux, and what else there was supposed to be that ends in "nix". Minix and (MS) Xenix? That can't be it.
Re: (Score:2)
"*nix" was coined long before Linux even existed.
It's still used today out of habit and because it's shorter and less ugly than most alternatives, and because people who use unix-like systems generally know what it means, or are easily able to infer its meaning.
In short: it's still a useful term despite pedantry like "but linux ends in 'nux', not 'nix'!!!1!".
Re: *NIX? (Score:1)
In case you were wondering what xkcd 2347 is about (Score:5, Insightful)
https://xkcd.com/2347/ [xkcd.com]
The block in the bottom right is something like dnsmasq. From the dnsmasq web page [dnsmasq.org]:
Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. These days I'm working on it as my main activity. I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make a contribution towards my expenses, please use the donation button below.
And then there's a Paypal donation button.
Re: (Score:2)
Wish I had mods
One would think Companies would support this project, no wonder many people are moving to that "pay me if commercial" license model.
Re: (Score:1)
It is not the only caching DNS server on the planet.
Information plx (Score:2, Informative)
CVE-2020-25681
CVE-2020-25682
CVE-2020-25683
CVE-2020-25684
CVE-2020-25685
CVE-2020-25686
CVE-2020-25687