Security researchers from JSOF have found seven vulnerabilities in the DNS / DHCP server Dnsmasq. Attackers could attack devices equipped with them and manipulate DNS entries, for example, in order to redirect victims to websites they control. 2008 the computer scientist Dan Kaminsky presented such a DNS attack for the first time. The execution of malicious code and the complete takeover of devices by attackers is also conceivable.

Dnsmasq is a widely used DNS / DHCP server Open source basis, which is mainly used in embedded systems and IoT devices. According to a report by the security researchers, more than 40 manufacturers are affected. These include, for example, Comcast, Google and Netgear. The Dnsmasq version 2. 83 is secured against the attacks. The first manufacturers have already published security updates (see list at the end of this message).

Dangerous effects Attacks are supposed to be direct be possible over the Internet. The security researchers claim to have discovered around 1 million listening Dnsmasq servers via the Shodan IoT search engine. For example, attackers could launch attacks using prepared queries. According to the security researchers, attacks should be possible “in seconds or a few minutes without special requirements”.

Attacks via web browsers are also conceivable. It should be sufficient if attackers can smuggle an advertisement with malicious code into an advertising network. If a victim visits a page with this ad, the attackers could gain access. According to the security researchers, however, such attacks are comparatively complex.

Even if none of the seven vulnerabilities is classified as “critical”, attackers could combine several vulnerabilities to ultimately carry out a critical attack. In a technical white paper, the security researchers describe possible attack scenarios and their effects. Specifically, attackers could, for example, trigger DDoS states, hook into connections as man-in-the-middle, redirect victims to their own websites (DNS cache poisoning) and execute malicious code.

Vulnerabilities:

CVE – 2020 – 25681 CVSS 8.1 CVE – 2020 – 25682 CVSS 8.1 CVE – 2020 – 25683 CVSS 5.9 CVE – 2020 – 25687 CVSS 5.9 CVE – 2020 – 25684 CVSS 4 CVE – 2020 – 25685 CVSS 4 CVE – 2020 – 25686 CVSS 4 Previously published Security updates:

Arista Cisco Dnsmasq Netgear RAX 35 and RAX 40 Firmware 1.0.3. 88 OpenWRT Siemens Sophos Ubuntu (of)