Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

DNSpooq: Seven Vulnerabilities Identified in dnsmasq

Researchers identify seven vulnerabilities in popular Domain Name System software.

Background

On January 19, researchers from the JSOF Research lab disclosed seven vulnerabilities in dnsmasq, a widely used open-source application for network infrastructure. Dubbed “DNSpooq” by the JSOF team, the acronym is a play on words as the vulnerabilities allow for Domain Name System (DNS) spoofing. The JSOF team also released a detailed whitepaper with technical details around their research.


Image Source: JSOF

The vulnerabilities were discovered over the summer of 2020 and JSOF coordinated with the CERT Coordination Center (CERT/CC) and various other entities to alert vendors that implement dnsmasq within their own products and services.

While JSOF notes that over 40 vendors may be affected by these flaws, due to varying implementations, it is unclear which vendors may be impacted by these vulnerabilities or if they are impacted at all.

Analysis

The seven flaws that comprise of DNSpooq can be split into two categories of vulnerabilities: DNS cache poisoning and buffer overflow. While it is possible that the buffer overflow vulnerabilities can be used to gain remote code execution (RCE), the more likely scenario is a denial of service (DoS) condition when successfully exploited.

Poison the Well: DNS Cache Poisoning Attacks

The researchers identified the following three DNS Cache Poisoning vulnerabilities:

CVE Impact CVSSv3
CVE-2020-25684 DNS Cache Poisoning 4
CVE-2020-25685 DNS Cache Poisoning 4
CVE-2020-25686 DNS Cache Poisoning 4

All three vulnerabilities are the result of DNS cache poisoning, a type of attack that could allow an attacker to inject a malicious DNS entry into the cache, which could be used to redirect network packets to a malicious server. This particular type of attack can be abused to re-route traffic including HTTP, SSH, remote desktop protocol and others.

Image Source: JSOF

The cache poisoning attacks are made possible by abusing a weak hash to reduce entropy. The transaction ID (TXID) and source port should be random and provide 32 bits of entropy, however JSOF found that the hashing algorithm used is not cryptographically secure and an attacker could abuse this to reduce the entropy significantly. When DNS Security Extensions (DNSSEC) is disabled, a custom CR32 algorithm is used for hashing.

The research outlines at least three potential scenarios in which an attacker could exploit the flaws. The first scenario outlines the potential to attack a dnsmasq resolver that has port 53 open to the internet. This would allow an attacker to send crafted DNS packets using a spoofed IP address and a registered domain name. JSOF believes “approximately 1 million vulnerable dnsmasq instances” are vulnerable according to a Shodan search.

The second and more likely scenario would be an attacker abusing the flaws from a machine an attacker controls within the local area network (LAN). While an attacker with access to a machine within a LAN can likely leverage other vulnerabilities more easily, this scenario could be exploited by an insider threat. The attacker could impact all devices connected to the LAN and redirect traffic to steal confidential or sensitive information.

The third and most complex scenario involves using malicious JavaScript to attempt to inject malicious DNS queries within the local LAN when a user on that same LAN browses an attacker-controlled website or a website with malicious advertisements. JSOF notes in their whitepaper that not all browsers allowed for this attack scenario, and there could be other mitigating factors on a network that would prevent this attack from being successful.

Over the Top: Buffer Overflow Flaws

The four remaining flaws in the table below are buffer overflow vulnerabilities:

CVE Potential Impact CVSSv3
CVE-2020-25681 Remote Code Execution, Denial of Service 8.1
CVE-2020-25682 Remote Code Execution, Denial of Service 8.1
CVE-2020-25683 Remote Code Execution, Denial of Service 5.9
CVE-2020-25687 Remote Code Execution, Denial of Service 5.9

CVE-2020-25681 and CVE-2020-25862, the two highest rated flaws earning an 8.1 CVSSv3 score, could be abused to achieve RCE. However, as is the case with the other CVEs listed in this advisory, the most likely scenario would be a DoS condition.

DNSSEC: When the Cure Becomes Worse Than The Disease

In a bit of irony, in order for a device to be affected by the four buffer overflow vulnerabilities, the DNSSEC feature must be enabled. Devices with DNSSEC disabled would NOT be affected by the buffer overflow flaws. However, JSOF notes it is important to enable DNSSEC as it is used to prevent cache poisoning attacks.

Chaining attacks to increase effectiveness

While the highest rated CVSS score is an 8.1 and the lowest being only a 4, JSOF notes that these vulnerabilities by themselves are low impact. However, chaining one or more of the vulnerabilities together can give an attacker a more robust attack with a much higher impact. While chained attack scenarios have become more common lately, it does highlight how important every component within a network can be. With DNS being a major backbone of the internet, these seven vulnerabilities highlight that common protocols and network software are a prime target for skilled threat actors.

Proof of concept

At the time this blog post was published, no proof-of-concept (PoC) code had been made available for any of these vulnerabilities. Based on the complexity in some environments, we don’t anticipate to see a reliable PoC in the near future.

Solution

To address these vulnerabilities, version 2.83 of dnsmasq has been released. When this blog was published, it was not clear if each of the vendors contacted through coordination with CERT/CC and JSOF have responded. However, we expect patches for various software from multiple vendors and network hardware to be released over time.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. We have also released an audit and compliance check that can be obtained from our GitHub page.

For our standalone plugin for dnsmasq, identified as plugin ID 145073, users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan.

We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.

Enabling Paranoid Mode

To enable this setting for Nessus and Tenable.io users:

  1. Click Assessment > General > Accuracy
  2. Enable the “Show potential false alarms” option

To enable this setting for Tenable.sc (formerly SecurityCenter) users:

  1. Click Assessment > Accuracy
  2. Click the drop-down box and select “Paranoid (more false alarms)”

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today.

NEW - Nessus Expert Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Professional Trial.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training