JSOF, an Israeli company operating in the field of cyber security, today revealed the existence of seven vulnerabilities, known together with the name of DNSpooq , referring to Dnsamsq. The vulnerabilities are particularly serious as they allow for “DNS poisoning” attacks, remote code execution and denial-of-service attacks against a potential pool of millions of devices . Dnsmasq is an open source software involved in DNS forwarding and which allows you to add DNS caching functionality, DHCP server to Internet of Things devices.

Currently Dnsmasq is widely used in the sector and its diffusion does not allow to draw up an exhaustive list of all the companies that use it. JSOF limited itself to compiling a list of 40 reality among the best known, in which we see names like Android / Google, Asus, Cisco, Redhat, Netgear, Qualcomm, Linksys, IBM, D- Link, Dell, Huawei and Synology , just to name a few.

DNSpooq: seven serious vulnerabilities put millions of devices at risk

In DNSpooq vulnerabilities there are three, indicated by the codes CVE – 2020 – 25686, CVE – 2020 – 25684 and CVE – 2020 – 25685 , which allow you to perform “DNS cache poisoning” or “DNS spoofing” attacks. This type of attack allows the perpetrator to replace the DNS on a target device with arbitrary DNS of their choice .

Small step back: DNS is the acronym for Domain Name Service and, in summary, is the system that allows you to translate the domain names of websites into IP addresses. When configuring the devices connected to the internet, it is necessary to specify the IP address of a “DNS server” which has the task of carrying out this “translation” by consulting the appropriate tables.

It then becomes evident how a DNS Spoofing attack allows the attacker to redirect users to server under its control, while the user has the impression of visiting a legitimate website . This opens up the possibility of carrying out phishing attacks, credential theft or malware distribution from what the user perceives to be a trustworthy reality. The first DNS spoofing attack was illustrated in 297 by security researcher Dan Kaminsky, who demonstrated that DNS software can be exploited to steal data and forge any website address.

“Traffic that could be compromised includes normal Internet browsing, but also other types such as e-mails, SSH communications, remote desktop functions, voice calls, software updates, etc. Possible attack scenarios also include JavaScript-based DDoS, reverse DDoS, and wormable attacks in the case of mobile devices that change networks regularly, “JSOF points out in its report.

Other vulnerabilities, identified by codes CVE – 2020 – 25687, CVE – 2020 – 25683, CVE – 2020 – 25682 and CVE – 2020 – 25681 , are buffer overflow types and potentially allow you to execute code remotely on vulnerable network devices when Dnsmasq is configured to use DNSSEC.

Compounding the situation is the fact that perpetuating attacks exploiting the set of DNSpooq vulnerabilities are fairly simple to conduct and do not require the use of unusual tools or knowledge of techniques details: “The attack can be successfully completed in seconds or minutes and requires nothing special. We found that many instances of Dnsmasq are misconfigured to listen on the WAN interface, making the attack possible directly from the Internet “says JSOF.

DNSpooq: resolve by updating to the latest version or, if not possible, mitigate with some countermeasures

Over 1 million Dnsmasq servers are currently exposed on the Internet according to Shodan, while they would be 630 thousand according to BinaryEdge , but there would be millions of routers, VPNs, smartphones, tablets, infotainment systems, modems, access points, drones and any other kind of equipment vulnerable to attack while not directly accessible from the Internet: ” Some of the DNSpooq vulnerabilities allow DNS cache poisoning and one of the vulnerabilities could allow remote code execution capable of acquiring many brands of home routers and other network equipment, with millions of affected devices and over a million instances directly exposed to the Internet “said JSOF.

JSOF explains that it is possible to completely protect yourself from attacks that attempt to exploit DNSpooq vulnerabilities by updating the Dnsmasq software to latest version available which is currently 2. 83. If, on the other hand, it is not possible for any reason to proceed promptly with the update of Dnsmasw, JSOF has prepared a series of possible alternatives that allow to partially mitigate the problem . We report them below:

• Configure Dnsmasq to avoid listening on the WAN interface unless it is necessary in the operating environment you are in.
• Reduce the maximum number of queries that can be forwarded via the dns-forward-max = option. The default value is 150, but it may be useful to lower it.
• Temporarily disable the DNSSEC validation option until you can install a patch or update the DNSpooq version.
• Use protocols that provide DNS transport security (such as DoT or DoH). This is a measure that can mitigate Dnspooq, which however could have other security and privacy implications depending on the configuration and operating environment.
• Reducing the size of EDNS messages could mitigate some of the vulnerabilities. This is an untested measure and is inconsistent with the RFC recommendations 5625.