Security Vulnerability: "DNSpooq" multiple vulnerabilities against dnsmasq
This document (000019824) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
Situation
Dnsmasq is one of the most popular caching DNS forwarder and it is intended to provide coupled DNS and DHCP services to a small Network. However, it is possible to configure Dnsmasq to listen to the open internet. Dnsmasq is included in most Linux distributions and can be configured to support DNSSec. In their paper the researchers disclosed two different groups of vulnerabilities which resulted in 7 CVE assignments.
The first group (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686) refer to potential Cache Poisoning attacks. All the vulnerabilities reduce the entropy of identifiers TXID (Transaction ID) and source port and thus makes it easier for attackers to guess-create a valid DNS reply with a correct combination of port and TXID allowing them to place malicious entries in the DNS server cache. This means, for example, that a potential attacker can redirect traffic to their own web server instead of the legitimate one.
The second group of vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687) are only exploitable when DNSSec is enabled. All of these vulnerabilities are exploitable when crafted DNS replies are sent and all result in Heap-based overflows. The vulnerable function is the sort_rsset and the vulnerabilities are triggered during the DNSSec validation. It is believed that the most severe of these vulnerabilities can lead to Remote Code Execution while the rest to Denial of Service.
All users of SUSE Linux Enterprise Server are affected.
Dnsmasq in SUSE Linux Enterprise Server 11 does not support DNSSec and thus is only affected by CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686.
Resolution
SUSE has already released fixes and updates for all the supported products.
All users are advised to update dnsmasq.
Cause
Status
Additional Information
- Configure dnsmasq not to listen on WAN interfaces if unnecessary in your environment.
- Reduce the maximum of queries allowed to be forwarded. The default is 150, but it could be lowered. This can be done with the option --dns-forward-max=<queries>
- Temporarily disable DNSSEC validation option until you get a patch. This will make dnsmasq not affected against the Heap-based overflow vulnerabilities.
- Use DNS-over-HTTPS or DNS-over-TLS to connect to your upstream server.
References:
https://www.jsof-tech.com/disclosures/dnspooq/
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf
https://bugzilla.suse.com/show_bug.cgi?id=1177077
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019824
- Creation Date: 13-Jan-2021
- Modified Date:19-Jan-2021
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com