Jump to content

DNSPOOQ!!!! Upgrade your DNSMASQ to Version 2.83

madironman

 

Summary

There is a new vulnerability in DNSmasq long after the great Kaminsky attack of 2008. It was published by the JSOF foundation who released it on 19th January 2021.
 DNSPOOQ.png
This is a set of vulnerabilities that can poison DNS cache, Execute codes remotely or do an buffer overflow attack. This was named DNSPOOQ by the JSOF foundation.The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast, and others listed below. Depending on how they use dnsmasq, devices may be more or less affected, or not affected at all. 

The origin of the name DNSpooq is a merge of 3 elements: DNS spoofing, the idea of a spook spying on Internet traffic, and the ‘q’ at the end of dnsmasq, replacing the ‘k’ of spook with a ‘q’. The spy or spook graphic illustrates the effects of an effective DNS spoofing on the ability to spy on internet traffic. The JSOF-pink glasses show how looking through tainted glasses, or a compromised middleman may alter your perception of the reality.

DNSpooq demonstrates that DNS implementations are still insecure, even today, 13 years after the last major attack was described. The vulnerability basically causes the attacker to gain access over your dns cache allowing the attacker to direct the victims websites to the attackers own infected site or to do other type of attacks like DDOS.

Quotes

Quote

The DNS protocol has a history of vulnerabilities dating back to the famous 2008 Kaminsky attack. Nevertheless, a large part of the Internet still relies on DNS as a source of integrity, in the same way it has for over a decade, and is therefore exposed to attacks that can endanger the integrity of parts of the web. DNSpooq demonstrates that DNS implementations are still insecure, even today, 13 years after the last major attack was described.

 

My thoughts

I think personally this finding is huge, when kamnisky attack was published the entire internet panicked. This vulnerability is similar to that attack but luckily the vulnerability is patched by dnsmasq. DNSMASQ is used as dns service by majority routers, modems etc.. Its crucial to educate Manufacturers/Users to update their products to prevent any attacks using this vulnerability.

 

Source

https://www.jsof-tech.com/disclosures/dnspooq/

Link to comment
Share on other sites

Link to post
Share on other sites

51 minutes ago, madironman said:

Its crucial to educate people manufacturers to update thieir dnsmasq their products to prevent any attacks using this vulnerability.

FIFY, sadly the "release it then forget it" scenario is still a very popular one when it comes to routers. They will support it maybe for a year then you are SOL. Either keep using a time bomb or buy the new one which will suffer the same fate.....

Link to comment
Share on other sites

Link to post
Share on other sites

To be fair, this isn't something your average user really needs to worry about. Sure some routers will be susceptible but they'll mostly get patched automatically anyway.

 

I'd hate to be working in an internet exchange or data centre right now though.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, jagdtigger said:

FIFY, sadly the "release it then forget it" scenario is still a very popular one when it comes to routers. They will support it maybe for a year then you are SOL. Either keep using a time bomb or buy the new one which will suffer the same fate.....

Correct me if I'm wrong but I thought those cheap throwaway routers mostly run on BIND and not DNSMASQ?

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Master Disaster said:

Correct me if I'm wrong but I thought those cheap throwaway routers mostly run on BIND and not DNSMASQ?

I think most of them would use dnsmasq because it can also act as dhcp and tftp... Regardless i seen many not so cheap not throw away routers getting dropped after one year.

Link to comment
Share on other sites

Link to post
Share on other sites

24 minutes ago, jagdtigger said:

FIFY, sadly the "release it then forget it" scenario is still a very popular one when it comes to routers. They will support it maybe for a year then you are SOL. Either keep using a time bomb or buy the new one which will suffer the same fate.....

thanks for the correction @jagdtigger This is my first post 😅 I am sorry .

Link to comment
Share on other sites

Link to post
Share on other sites

21 minutes ago, Master Disaster said:

Correct me if I'm wrong but I thought those cheap throwaway routers mostly run on BIND and not DNSMASQ?

Most of the decent routers use dnsmasq as it has both dhcp like @jagdtigger said. you can find the list of products/vendors affected here : https://www.jsof-tech.com/disclosures/dnspooq/#DNSPOOQ-scenarios:~:text=Vendors,-Some . Its true average user need not worry about this as it will be patched , but some routers/devices might not have fancy auto upgrade option in that case the users must upgrade to latest firmware ASAP to stay protected. I think this vulnerability is a must fix for even discontinued products.

Link to comment
Share on other sites

Link to post
Share on other sites

Once again pfSense isn't exploited in yet another consumer grade router hack. All because they disable un needed crap right out of the box.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Shorty88jr said:

Once again pfSense isn't exploited in yet another consumer grade router hack. All because they disable un needed crap right out of the box.

I am afraid the DNS forwarder/resolver used by pfSense is also dnsmasq , correct me if I am wrong.

Link to comment
Share on other sites

Link to post
Share on other sites

If anyone is using openWRT I suggest reading on how to mitigate this problem.

EVGA SR-2 / 2x Intel Xeon X5675 4.4Ghz OC / 24GB EEC 1800Mhz OC/ AMD RX570 / Enermax Evoliution 1050W / Main RAID 0: 2x256GB 840EVO SSD / BackUp(1) Raid 5: 3x2TB WD HDD / BackUp(2) 8x2TB / Dell U2412M / Dell U2312HM

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, Shorty88jr said:

All because they disable un needed crap right out of the box.

😕

 

DNS is not unneeded crap, its vital to making routers work at all.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

27 minutes ago, madironman said:

I am afraid the DNS forwarder/resolver used by pfSense is also dnsmasq , correct me if I am wrong.

Quote

The DNS Resolver in pfSense® utilizes unbound, which is a validating, recursive, caching DNS resolver that supports DNSSEC and a wide variety of options.

https://docs.netgate.com/pfsense/en/latest/services/dns/resolver.html

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, gabrielcarvfer said:

For routers? Routers do not require DNS at all. It is essential to make the web accessible to common people.

Is you router didn't support DNS forwarding then how would it talk to the wider internet?

 

Also while its not really essential to a network operating DNS is needed to allow hostmane resolution between clients.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, gabrielcarvfer said:

For routers? Routers do not require DNS at all. It is essential to make the web accessible to common people.

It is also needed for common people to access the router through some friendly address like tplinklogin.net which cannot be done without a local dns server.

Link to comment
Share on other sites

Link to post
Share on other sites

40 minutes ago, gabrielcarvfer said:

You don't need to intercept and forward DNS requests at all. Just use DHCP to distribute the ISP provided DNS or use a different one (e.g. 1.1.1.1) and that is it.

The router will gladly forward the DNS request without knowing it is a DNS request.

 

Hostname resolution between clients = mDNS/Bonjour. There is a Windows alternative, but don't really use.

this is true, but most users don't configure any of the DNS settings and most routers at least the one's i have seen assigns DNS server as its own GW (gateway) and forwards the DNS requests to the ISP's DNS servers( aka acts as a DNS forwarder ), Manufacturers usually have this feature enabled by default as a safety feature as your router acts as a DNS proxy.

Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, madironman said:

I am afraid the DNS forwarder/resolver used by pfSense is also dnsmasq , correct me if I am wrong.

 

5 hours ago, jagdtigger said:

 

 

5 hours ago, Master Disaster said:

😕

 

DNS is not unneeded crap, its vital to making routers work at all.

https://forum.netgate.com/topic/160024/dnsmasq-important-security-update

 

This attack vector is not being utilized in pfSense by default because it's not needed except for backwards compatibility

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, Shorty88jr said:

 

 

https://forum.netgate.com/topic/160024/dnsmasq-important-security-update

 

This attack vector is not being utilized in pfSense by default because it's not needed except for backwards compatibility

That's great to know its not affected by default. still if pfsense uses DNSSEC then this CVE-2020-25681 ( CVS 8.1 )  would still be relevant i guess.

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, madironman said:

still if pfsense uses DNSSEC then this CVE-2020-25681 ( CVS 8.1 )  would still be relevant i guess.

It only applies to dnsmasq so no.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×