{"vuid":"VU#434904","idnumber":"434904","name":"Dnsmasq is vulnerable to memory corruption and cache poisoning","keywords":null,"overview":"### Overview\r\nDnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment.\r\n\r\nThese vulnerabilities are also tracked as [ICS-VU-668462](https://us-cert.cisa.gov/ics/advisories/icsa-21-019-01) and referred to as [DNSpooq](https://www.jsof-tech.com/disclosures/dnspooq).\r\n\r\n### Description\r\n[Dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) is widely used open-source software that provides DNS forwarding and caching (and also a DHCP server). Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.\r\n\r\nJSOF reported multiple memory corruption vulnerabilities in dnsmasq due to  boundary checking errors in DNSSEC handling code.\r\n\r\n* CVE-2020-25681: A heap-based buffer overflow in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data in an unsolicited DNS response\r\n* CVE-2020-25682: A buffer overflow vulnerability in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data\r\n* CVE-2020-25683: A heap-based buffer overflow in get_rdata subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries\r\n*  CVE-2020-25687: A heap-based buffer overflow in sort_rrset subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries\r\n\r\nJSOF also reported vulnerabilities in DNS response validation that can result in DNS cache poisoning.\r\n\r\n* CVE-2020-25684: Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses\r\n* CVE-2020-25685: Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses\r\n* CVE-2020-25686: Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to perform a [\"Birthday Attack\"](https://tools.ietf.org/html/rfc5452#section-5) scenario to forge replies and potentially poison the DNS cache\r\n\r\nNote: These cache poisoning scenarios and defenses are discussed in [IETF RFC5452](https://tools.ietf.org/html/rfc5452).\r\n\r\n### Impact\r\nThe memory corruption vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure, and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to arbitrary sites.\r\n\r\n### Solution\r\n#### Apply updates\r\nThese vulnerabilities are addressed in [dnsmasq 2.83](http://www.thekelleys.org.uk/dnsmasq/?C=M;O=D). Users of IoT and embedded devices that use dnsmasq should contact their vendors.\r\n\r\n#### Follow security best-practices\r\nConsider the following security best-practices to protect DNS infrastructure:\r\n\r\n* Protect your DNS clients using [stateful-inspection firewall](https://www.govinfo.gov/content/pkg/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855/pdf/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855.pdf) that provide DNS  security (e.g., \r\nstateful firewalls and NAT devices can block unsolicited DNS responses, DNS application layer inspection can prevent forwarding of anomalous DNS packets).\r\n* Provide secure DNS recursion service with features such as DNSSEC validation and the interim [0x20-bit encoding](https://astrolavos.gatech.edu/articles/increased_dns_resistance.pdf) as part of enterprise DNS services where applicable. \r\n* Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.\r\n* Implement a [Secure By Default](https://en.wikipedia.org/wiki/Secure_by_default) configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).\r\n\r\n### Acknowledgements\r\nMoshe Kol and Shlomi Oberman of [JSOF](https://jsof-tech.com) researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their [GitHub Security Advisory](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-github-security-advisories) platform for collaboration.\r\n\r\nThis document was written by Vijay Sarvepalli.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.kb.cert.org/vuls/id/800113","https://kb.cert.org/vuls/id/973527","https://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRICIII_9-12-12_WG4-FINAL-Report-DNS-Best-Practices.pdf","https://astrolavos.gatech.edu/articles/increased_dns_resistance.pdf","https://www.icann.org/news/blog/security-best-practices-dnssec-validation","http://www.thekelleys.org.uk/dnsmasq/doc.html","https://www.jsof-tech.com/disclosures/dnspooq"],"cveids":["CVE-2020-25687","CVE-2020-25685","CVE-2020-25682","CVE-2020-25686","CVE-2020-25681","CVE-2020-25683","CVE-2020-25684"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2021-01-19T17:25:30.069334Z","publicdate":"2021-01-19T17:25:26.246669Z","datefirstpublished":"2021-01-19T17:25:30.103685Z","dateupdated":"2024-08-19T18:19:41.572475Z","revision":15,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":36}