Researchers at JSOF have disclosed seven vulnerabilities concerning the widely used DNS forwarding client Dnsmasq. The vulnerabilities are split into two classes, DNS cache poisoning and buffer overflows for remote code execution. The DNS poisonings take advantage of reducing the randomness of the TXID (Transaction ID) and source port. These attacks will also require that the attacker spoof their IP or attempt to exploit from the browser by taking advantage of outstanding DNS requests in Firefox-like browsers. The second class of vulnerabilities for Dnsmasq involves heap-based buffer overflows that could potentially allow for remote code execution if Dnsmasq is configured to use DNSSEC. The versions of Dnsmasq affected by these vulnerabilities are Dnsmasq versions 2.78 to 2.82.
Analyst Notes
With this disclosure being released today and the fact that there are not yet any proof-of-concept (PoC) exploits available, the risk is lower than if a PoC was released. However, if organizations are concerned about these vulnerabilities, patches will be released later today by Dnsmasq and should be applied as soon as possible. Alternatively, companies that are concerned about Dnsmasq vulnerabilities should inquire about updates from their vendors if DNS is managed or built into a different appliance. While there are other mitigations by utilizing DNS-over-HTTPS or DNS-over-TLS, these are not recommended at scale unless DNS logs are being ingested and monitored for poisoning attacks.
References:
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf
https://www.zdnet.com/article/dnspooq-lets-attackers-poison-dns-cache-records/
https://www.jsof-tech.com/disclosures/dnspooq/
