Skip to main content

DNSpooq bugs haunt dnsmasq

The research team at JSOF found seven vulnerabilities in dnsmasq and have dubbed them DNSpooq, collectively. Now, some of you may shrug and move on, probably because you haven't heard of dnsmasq before. Well, before you go, you should know that dnsmasq is used in a wide variety of phones, routers, and other network devices, besides some Linux distributions like Red-Hat. And that's just a selection of what may be affected.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerabilities disclosed by the JSOF team have been listed as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686 and CVE-2020-25681.

What is DNSpooq?

DNSpooq is the name the researchers gave to a collection of seven vulnerabilities they found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and so far JSOF has identified approximately 40 vendors that use it in their products, as well as some major Linux distributions. DNSpooq includes some DNS cache poisoning vulnerabilities, and buffer overflow vulnerabilities that could potentially be used to achieve remote code execution (RCE).

Domain Name System (DNS) is an internet protocol that translates user-friendly, readable URLs, such as malwarebytes.com, to their numeric IP addresses, allowing the computer to identify a server without the user having to remember and input its actual IP address. Basically, you could say DNS is the phonebook of the internet. DNS name resolution is a complex process that can be interfered with at many levels.

Dnsmasq (short for DNS masquerade) is free software that can be used for DNS forwarding and caching, and DHCP services. It is intended for smaller networks and can run under Linux, macOS, and Android. In essence, dnsmasq accepts DNS queries and either answers them from a local cache or forwards them to an actual DNS server.

What is DNS cache poisoning?

If you have ever moved your website to a different server, you will have noticed how long it can take before everyone actually lands on the new IP address. This happens because DNS records are normally cached in a number of different places, for performance. Records can be cached in your browser, by your operating system, on your network, by your ISP, and so on. When a cache entry expires it will update from the next upstream cache. Because of this, it can take a while for new records to get updated in all the places they're stored. This phenomenon is referred to as DNS propagation.

If false information is added to a compromised DNS cache, that information can spread downstream to other caches. This method of providing a false IP address is called DNS cache poisoning. Cache poisoning can be done at all levels, local, router and even at the DNS server level.

What is a buffer overflow?

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches an address boundary and writes into an adjacent memory region. Buffer overflows can be used to overwrite useful data, cause network crashes, or replace memory with arbitrary code that the instruction pointer later executes. In that last case it may offer an opportunity for RCE.

Who should worry?

JSOF has identified over 40 companies and respective products they believe are using dnsmasq. You can find a complete list on their website about DNSpooq, under Vendors. Some names worth mentioning: Asus, AT&T, Cisco, Dell, Google, Huawei, Linksys, Motorola, Netgear, Siemens, Ubiquiti, and Zyxel. Check out the list if you want to verify whether you are using one of the affected devices.

What can be done about DNSpooq?

For users of dnsmasq the quickest fix is to update it to version 2.83 or above.

In the long run it would be better for all of us if we started using a less vulnerable method than DNS, like DNSSEC, which protects against cache poisoning. Unfortunately is still not very widely deployed. Neither is HSTS, which is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks.

Stay safe, everyone!

Header image and research courtesy of JSOF

The post DNSpooq bugs haunt dnsmasq appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

Malwarebytes CrackMe 2: contest summary

About three weeks ago, we published our second CrackMe . It triggered a lot of interest, and we got many high-quality write-ups. Choosing the winner was really difficult! In this post, I am going to summarize the contest and comment on the received submissions. CrackMe 2 challenge The topic of the challenge was Python, and its goal was to teach how the Python scripts can be packaged and integrated with native executables. The involved Python script was not obfuscated, and the user was supposed to adapt it for the purpose of finding the solution. The CrackMe was made of three components, cooperating with each other: a Python script (converted to EXE with the help of PyInstaller) a native DLL, loaded with the help of the above script a Python script unpacked by the DLL and injected into Actxproxy.dll In the first level, the user was supposed to find a valid PIN to decode a URL, from which the next level was downloaded. The next level was a native DLL that was inject...

Windows Driver Backup and Restore Guide and Software for All Versions

Computer is a collection of hardware and To work properly these hardware we need to install some drivers. Drivers may vary for different versions of operating systems. By default an operating system doesn't have all your computer drivers so we need to take driver backup from current OS for future use. Virus and Worms becomes more popular now to corrupt our computer or their software and that is another reason to always keep your computer driver backup to re-use them without any issue. Taking your driver backup can solve a lot of issue related to your computer. Windows Driver Backup and Restore Guide The method is very manageable and smooth, You will need to use a utility software that will create backup of all drivers in your Windows operating system and later you can restore them whenever you change your operating system, or some of your drivers get corrupted. So proceed with some simple steps below. Steps to Backup and Restore Drivers on Windows Using Double Driver Fi...

Malwarebytes CrackMe 2: try another challenge

Last November, we released the first edition of the  Malwarebytes CrackMe . Encouraged by the positive response we received from the security community, we decided to repeat the game, hopefully making it even more interesting and entertaining. As before, the CrackMe is dedicated to malware analysts and to those who want to practice becoming them. That's why it is not just a set of some abstract riddles, but an exercise that walks through selected tricks that were used in real malware. (Expect some original schemes designed just for this game, too.) Of course, all is demonstrated on harmless examples, but we still recommend you use VM for reversing it so that it will not interfere with any antivirus protection. Rules of the contest There are two CrackMe contests: Capture the flag.  The first three submitted flags win. The flag should be submitted along with (minimalistic) notes about the steps taken to find it. (No detailed write-up is required.) Best write-up . Th...