Service Notices

All Notices > Security Notices > Multiple High-risk Vulnerabilities in Dnsmasq

Multiple High-risk Vulnerabilities in Dnsmasq

Jan 25, 2021 GMT+08:00

I. Overview

The JSOF security team reported multiple vulnerabilities found in Dnsmasq, an open-source DNS forwarding software. These vulnerabilities are named DNSpooq and divided into the following types:

1. DNSSEC memory issues can cause DNS cache poisoning and be exploited to perform denial of service (DoS) attacks and remotely execute code.

CVE-2020-25681 (high-risk)

CVE-2020-25682 (high-risk)

CVE-2020-25683

CVE-2020-25687

2. DNS response verification issues can cause DNS cache poisoning and be exploited to perform DoS attacks.

CVE-2020-25684

CVE-2020-25685

CVE-2020-25686

If you are a Dnsmasq user, check your Dnsmasq version and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf

https://www.jsof-tech.com/disclosures/dnspooq/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Dnsmasq before 2.83

Secure versions:

Dnsmasq 2.83

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Temporary workarounds:

1. If you do not need Dnsmasq to listen to WAN interfaces, disable the listening to enhance security.

2. Reduce the value of the --dns-forward-max=<querys> option, which specifies the allowed maximum number of queries that can be forwarded. The default value is 150.

3. If you cannot upgrade to the secure version for the moment, disable DNSSEC verification.

4. Use secure DNS transmission protocols (such as DoH and DoT).

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.