Vulnerabilities found in DNSMASQ that allows to spoof content in DNS Cache

It is a utility that provides a domain name system (DNS) redirector, dynamic host configuration protocol (DHCP) server, advertising router, and network boot functions for small computer networks, created as free software.

Recently, 7 critical vulnerabilities were detected in DNSMASQ, It is based on a series of problems generated in the resolution of DNS cache and a DHCP server, these problems allow attacks to the DNS cache with false DNS or buffer overflows that could allow the remote code execution by the attacker for their benefit.

Currently in linux distributions, DNSMASQ is no longer used by default in regular linux distributions such as debian, ubuntu, mint, among others, but it is still used in android and specialized distributions such as OpenWRT and DD-WRT, as well as the firmware of wireless fouters from countless manufacturers.

It is used in applications like virt-manager in your libvirt library that provides a DNS service in virtual machines or it can be activated by changing the configuration in NetworkManager.

The problem is compounded since the culture of updating wireless router firmware and other hardware that implement DNSMASQ leaves much to be desired since the owners of these devices do not worry about updating the firmware that have security holes corrections in them.

Researchers in the area of ​​computer security fear that these problems discovered will last a long time without solving and this gives rise to automated attacks on routers that have these problems with DNSMASQ, to gain control of them and redirect unsuspecting users to malicious sites or some form of pishing, thus even making millionaire robberies of your bank accounts if they fall for the deception.

Currently there are more than 35 companies which implement DNSMASQ in their routing hardware included; Cisco, Comcast, Netgear, Ubiquiti, Siemens, Arista, Technicolor, Aruba, Wind River, Asus, AT&T, D-Link, Huawei, Juniper, Motorola, Synology, Xiaomi, ZTE, and Zyxel.

At the moment, it can only warn users not to use the DNS redirection service provided by these devices, while waiting for a solution to these security problems that affect DNSMASQ.

The first vulnerability has to do with the protection against DNS cache poisoning attacks, the identified problems make the protection ineffective, and this allows the IP address allocation of an arbitrary domain in cache. Kaminsky’s method manipulates the negligible size of the DNS query ID field, which is only 16 bits.

To find the correct identifier needed to spoof the hostname, just send about 7,000 requests and simulate about 140,000 bogus responses. The attack boils down to sending a large number of fake IP-bound packets to the DNS resolver with different DNS transaction identifiers.

The identified vulnerabilities reduce the entropy level from the expected 32 bits to the need to guess 19 bits, making a cache poisoning attack quite realistic. Additionally, dnsmasq’s handling of CNAME records allows it to spoof the chain of CNAME records to efficiently spoof up to 9 DNS records at a time.

• CVE-2020-25684 – Failure to validate request ID in combination with IP address and port number when processing DNS responses from external servers. This behavior is incompatible with RFC-5452, which requires additional request attributes to be used when matching a response.

• CVE-2020-25686: Lack of validation of pending requests with the same name, allowing the use of the birthday method to significantly reduce the number of attempts required to falsify a response. In combination with the CVE-2020-25684 vulnerability, this feature can significantly reduce the complexity of the attack.

• CVE-2020-25685 – Use of unreliable CRC32 hashing algorithm when verifying responses, in case of compilation without DNSSEC (SHA-1 is used with DNSSEC). The vulnerability could be used to significantly reduce the number of attempts by allowing you to exploit domains that have the same CRC32 hash as the target domain.

• The second set of problems (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, and CVE-2020-25687) is caused by errors that cause buffer overflows when processing certain external data.

• For vulnerabilities CVE-2020-25681 and CVE-2020-25682, it is possible to create exploits that could lead to code execution on the system.

These vulnerabilities are addressed in the DNSMASQ 2.83 update and as a temporary fix it is recommended to disable DNSSEC and query caching using command line options.

The recommendation that is given to all users who have routers that contain DNSMASQ is not to implement this function until an update is available that corrects this series of critical vulnerabilities that can be exploited in an automated way and that can affect thousands of millions of devices found on the internet, taking into account that even your privacy or even access to the funds in your bank accounts may be at stake since very effective pishing can be applied.

Important note: the security of our information, the way we connect and the devices we use are our responsibility and as such we must be attentive to all recent information on information security issues to take the corresponding preventive measures before being victims of an attack that can put the user in a critical situation either in terms of their finances or in terms of their privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.