Skip to main content

DNSpooq bugs haunt dnsmasq

The research team at JSOF found seven vulnerabilities in dnsmasq and have dubbed them DNSpooq, collectively. Now, some of you may shrug and move on, probably because you haven't heard of dnsmasq before. Well, before you go, you should know that dnsmasq is used in a wide variety of phones, routers, and other network devices, besides some Linux distributions like Red-Hat. And that's just a selection of what may be affected.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerabilities disclosed by the JSOF team have been listed as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686 and CVE-2020-25681.

What is DNSpooq?

DNSpooq is the name the researchers gave to a collection of seven vulnerabilities they found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and so far JSOF has identified approximately 40 vendors that use it in their products, as well as some major Linux distributions. DNSpooq includes some DNS cache poisoning vulnerabilities, and buffer overflow vulnerabilities that could potentially be used to achieve remote code execution (RCE).

Domain Name System (DNS) is an internet protocol that translates user-friendly, readable URLs, such as malwarebytes.com, to their numeric IP addresses, allowing the computer to identify a server without the user having to remember and input its actual IP address. Basically, you could say DNS is the phonebook of the internet. DNS name resolution is a complex process that can be interfered with at many levels.

Dnsmasq (short for DNS masquerade) is free software that can be used for DNS forwarding and caching, and DHCP services. It is intended for smaller networks and can run under Linux, macOS, and Android. In essence, dnsmasq accepts DNS queries and either answers them from a local cache or forwards them to an actual DNS server.

What is DNS cache poisoning?

If you have ever moved your website to a different server, you will have noticed how long it can take before everyone actually lands on the new IP address. This happens because DNS records are normally cached in a number of different places, for performance. Records can be cached in your browser, by your operating system, on your network, by your ISP, and so on. When a cache entry expires it will update from the next upstream cache. Because of this, it can take a while for new records to get updated in all the places they're stored. This phenomenon is referred to as DNS propagation.

If false information is added to a compromised DNS cache, that information can spread downstream to other caches. This method of providing a false IP address is called DNS cache poisoning. Cache poisoning can be done at all levels, local, router and even at the DNS server level.

What is a buffer overflow?

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches an address boundary and writes into an adjacent memory region. Buffer overflows can be used to overwrite useful data, cause network crashes, or replace memory with arbitrary code that the instruction pointer later executes. In that last case it may offer an opportunity for RCE.

Who should worry?

JSOF has identified over 40 companies and respective products they believe are using dnsmasq. You can find a complete list on their website about DNSpooq, under Vendors. Some names worth mentioning: Asus, AT&T, Cisco, Dell, Google, Huawei, Linksys, Motorola, Netgear, Siemens, Ubiquiti, and Zyxel. Check out the list if you want to verify whether you are using one of the affected devices.

What can be done about DNSpooq?

For users of dnsmasq the quickest fix is to update it to version 2.83 or above.

In the long run it would be better for all of us if we started using a less vulnerable method than DNS, like DNSSEC, which protects against cache poisoning. Unfortunately is still not very widely deployed. Neither is HSTS, which is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks.

Stay safe, everyone!

Header image and research courtesy of JSOF

The post DNSpooq bugs haunt dnsmasq appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

Chaos in a cup: When ransomware creeps into your smart coffee maker

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would've imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker , smart doorbell , or smart light bulb . Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note. Courtesy of Dan Goodin, Ars Technica Yes, Hron turned his coffee maker into a ransomware mach...
Read more

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware , a collection of various scraped data dumps , the protection of power grids , and how bad actors are using SMB vulnerabilities .   Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook) Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake , according to US law enforcement. (source: The Register) Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police) Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google) Windows 10 data collection: Reddit use...
Read more

Skimmer acts as payment service provider via rogue iframe

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain. A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn't be able to steal customers' credit card data. But this isn't always true. RiskIQ previously detailed how Magecart's Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming. The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the s...
Read more