DNSpooq Issues Permit DNS Hijacking of Millions of Devices!

DNSpooq Issues Permit DNS Hijacking of Millions of Devices!

Researchers have uncovered a number of flaws in dnsmasq, popular open-source software used for caching Domain Name System (DNS) responses for home & commercial routers & servers.

7 flaws in open-source software Dnsmasq could allow DNS cache poisoning attacks & remote code execution.

The 7 flaws are comprised of buffer overflow issues & flaws allowing for DNS cache-poisoning attacks (also known as DNS spoofing). If exploited, these flaws could be chained together to allow remote code execution, denial of service & other attacks.

DNS Spoofing

Researchers have labelled the set of vulnerabilities “DNSpooq,” a combination of DNS spoofing, the concept of “a spook spying on internet traffic,” & the “q” at the end of dnsmasq.

“DNSpooq is a series of vulnerabilities found in the ubiquitous open-source software dnsmasq, demonstrating that DNS is still insecure, 13 years after the last major attack was described,” outlined researchers with the JSOF research lab, in a recent analysis.

DNS Resolution

Dnsmasq is installed on many home and commercial routers & servers in many organisations. The software’s storing of responses to previously asked DNS queries locally speeds up the DNS resolution process; however, it has many other uses as well, including providing DNS services to support Wi-Fi hot-spots, enterprise guest networks, virtualisation & ad blocking.

Researchers have identified at least 40 vendors who utilise dnsmasq in their products, including Cisco routers, Android phones, Aruba devices, Technicolor & Red Hat, as well as Siemens, Ubiquiti networks, Comcast & many others. In all, “millions” of devices are affected, they observed.

DNS Cache Poisoning

3 of the flaws (CVE-2020-25686, CVE-2020-25684 & CVE-2020-25685) could enable DNS cache ‘poisoning.’

DNS cache poisoning is a type of attack that lets DNS queries to be subverted.  In a real-world situation, an attacker here could use unsolicited DNS responses to poison the DNS cache, convince unknowing internet browsers to a specially designed attacker-owned website, & then redirect them to malicious servers.

This could potentially lead to fraud & various other malicious attacks, if victims think they are browsing to 1 website but are actually routed to another, stated researchers. Further attacks could include phishing attacks or malware distribution.

“Traffic that might be subverted includes regular Internet browsing as well as other types of traffic, such as emails, SSH, remote desktop, RDP video & voice calls, software updates & so on,” explained researchers.

Buffer Overflow

Researchers also shed light on 4 buffer-overflow vulnerabilities (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 & CVE-2020-25681) in dnsmasq. The memory-corruption flaws can be triggered by a remote attacker using crafted DNS responses. The attack can lead to denial of service, information exposure & potentially remote code execution.

While most of these flaws are heap-based buffer-overflow issues that could lead to denial of service, 1 of the flaws is a high-severity issue that could potentially enable remote code execution when dnsmasq is configured to use domain name system security extensions (DNSSEC), a set of protocols that add a layer of security to the domain name system.


“For the buffer overflows & remote-code execution, devices that don’t use the DNSSEC feature will be immune,” stated researchers. “DNSSEC is a security feature meant to prevent cache poisoning attacks & so we would not recommend turning it off, but rather updating to the newest version of dnsmasq.”

Researchers said that the approximately 1m dnsmasq servers openly visible on the internet (according to Shodan) make attacks launched via the internet “very simple,” & that there are several real-world situations that set up an attacker to exploit these flaws.

Internal Network

“This may be possible in some cases, we believe rare, even if the forwarder is not open to the internet,” they commented.

Also, if a dnsmasq server is only configured to listen to connections received from within an internal network & an attacker gains a foothold on any device in that network – they would be able to perform the attack.

Or, if a dnsmasq server is only configured to listen to connections received from within an internal network but the network is open (including an airport network or a corporate guest network) an attacker could perform the attack.

The Impact

The flaws have varying severity, with CVE-2020-25681 and CVE-2020-25682 being high severity. However, researchers suggested that if these vulnerabilities were chained together they could lead to an array of multi-stage attacks.

“This is because exploiting some of the vulnerabilities makes it easier to exploit others,” outlined researchers. “e.g., we found that combining CVE-2020-25682, CVE-2020-25684, & CVE-2020-25685 would result in CVE-2020-25682 having a lower attack complexity (with the same impact) & result in a combined CVSS of 9.8 according to our analysis.”

Internet-of-Things (IoT)

Researchers disclosed the flaws in Aug. & publicly revealed them this Jan. These vulnerabilities are addressed in dnsmasq 2.83; users of internet-of-things (IoT) & embedded devices that use dnsmasq should contact their vendors for further information regarding updates.

“With the help of CERT/CC and volunteers from several companies, a working group was formed, combining the expertise & extended reach of members from JSOF, CERT/CC, Cisco, Google, Red Hat, Pi-hole and Simon Kelley, the maintainer of dnsmasq, to ensure that the DNSpooq vulnerabilities would be effectively fixed and well documented & communicated,” concluded researchers.