Service Notices
Multiple High-risk Vulnerabilities in Dnsmasq
Jan 25, 2021 GMT+08:00
I. Overview
The JSOF security team reported multiple vulnerabilities found in Dnsmasq, an open-source DNS forwarding software. These vulnerabilities are named DNSpooq and divided into the following types:
1. DNSSEC memory issues can cause DNS cache poisoning and be exploited to perform denial of service (DoS) attacks and remotely execute code.
CVE-2020-25681 (high-risk)
CVE-2020-25682 (high-risk)
CVE-2020-25683
CVE-2020-25687
2. DNS response verification issues can cause DNS cache poisoning and be exploited to perform DoS attacks.
CVE-2020-25684
CVE-2020-25685
CVE-2020-25686
If you are a Dnsmasq user, check your Dnsmasq version and implement timely security hardening.
For more information about this vulnerability, visit the following website:
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf
https://www.jsof-tech.com/disclosures/dnspooq/
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Dnsmasq before 2.83
Secure versions:
Dnsmasq 2.83
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.
Temporary workarounds:
1. If you do not need Dnsmasq to listen to WAN interfaces, disable the listening to enhance security.
2. Reduce the value of the --dns-forward-max=<querys> option, which specifies the allowed maximum number of queries that can be forwarded. The default value is 150.
3. If you cannot upgrade to the secure version for the moment, disable DNSSEC verification.
4. Use secure DNS transmission protocols (such as DoH and DoT).
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.