Security Vulnerability: "DNSpooq" multiple vulnerabilities against dnsmasq

This document (000019824) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
 

Situation

Security researchers from JSOF Research Lab have published multiple vulnerabilities against dnsmasq which received the code-name DNSpooq.

Dnsmasq is one of the most popular caching DNS forwarder and it is intended to provide coupled DNS and DHCP services to a small Network. However, it is possible to configure Dnsmasq to listen to the open internet. Dnsmasq is included in most Linux distributions and can be configured to support DNSSec. In their paper the researchers disclosed two different  groups of vulnerabilities which resulted in 7 CVE assignments.

The first group (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686) refer to potential Cache Poisoning attacks. All the vulnerabilities reduce the entropy of identifiers TXID (Transaction ID) and source port and thus makes it easier for attackers to guess-create a valid DNS reply with a correct combination of port and TXID allowing them to place malicious entries in the DNS server cache. This means, for example, that a potential attacker can redirect traffic to their own web server instead of the legitimate one.

The second group of vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687) are only exploitable when DNSSec is enabled.  All of these vulnerabilities are exploitable when crafted DNS replies are sent and all result in Heap-based overflows. The vulnerable function is the sort_rsset and the vulnerabilities are triggered during the DNSSec validation. It is believed that the most severe of these vulnerabilities can lead to Remote Code Execution while the rest to Denial of Service.

All users of SUSE Linux Enterprise Server are affected.
Dnsmasq in SUSE Linux Enterprise Server 11 does not support DNSSec and thus is only affected by CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686.
 

Resolution

SUSE has already released fixes and updates for all the supported products.
All users are advised to update dnsmasq.

Cause

Status

Security Alert

Additional Information

Workaround:
  • Configure dnsmasq not to listen on WAN interfaces if unnecessary in your environment.
  • Reduce the maximum of queries allowed to be forwarded. The default is 150, but it could be lowered. This can be done with the option --dns-forward-max=<queries>
  • Temporarily disable DNSSEC validation option until you get a patch. This will make dnsmasq not affected against the Heap-based overflow vulnerabilities.
  • Use DNS-over-HTTPS or DNS-over-TLS to connect to your upstream server.

References:
https://www.jsof-tech.com/disclosures/dnspooq/
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf
https://bugzilla.suse.com/show_bug.cgi?id=1177077

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019824
  • Creation Date: 19-Jan-2021
  • Modified Date:19-Jan-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center