Specialists from JSOF research labs reported seven new vulnerabilities in the DNS/DHCP server dnsmasq. The dnsmasq server is very popular and is used by default in many linux distributions, as well as in network equipment from Cisco, Ubiquiti and others. Dnspooq vulnerabilities include DNS cache poisoning as well as remote code execution. The vulnerabilities are fixed in dnsmasq 2.83.
In 2008, renowned security researcher Dan Kaminsky discovered and exposed a fundamental flaw in the Internet's DNS mechanism. Kaminsky proved that attackers can spoof domain addresses and steal data. This has since become known as the "Kaminsky Attack".
DNS has been considered an insecure protocol for decades, although it is supposed to guarantee a certain level of integrity. It is for this reason that it is still heavily relied upon. At the same time, mechanisms were developed to improve the security of the original DNS protocol. These mechanisms include HTTPS, HSTS, DNSSEC, and other initiatives. However, even with all these mechanisms in place, DNS hijacking is still a dangerous attack in 2021. Much of the internet still relies on DNS the same way it did in 2008 and is subject to the same type of attacks.
DNSpooq cache poisoning vulnerabilities:
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685. These vulnerabilities are similar to the SAD DNS attacks recently reported by researchers at the University of California and Tsinghua University. SAD DNS and DNSpooq vulnerabilities can also be combined to further facilitate attacks. Additional attacks with unclear consequences have also been reported by the joint efforts of universities (Poison Over Troubled Forwarders and others).
Vulnerabilities work by reducing entropy. Due to the use of a weak hash to identify DNS queries and inaccurate query-to-response matching, entropy can be greatly reduced and only ~19 bits need to be guessed, making cache poisoning possible. The way dnsmasq handles CNAME records allows forging a chain of CNAME records and effectively poisoning up to 9 DNS records at once.
Buffer overflow vulnerabilities: CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681. All 4 vulnerabilities noted are present in the DNSSEC implementation code and appear only when checking via DNSSEC is enabled in the settings.
Source: linux.org.ru