DNSpooq Vulnerability  In DNS software Let Attackers hijack Millions of Network Devices

Recently, cybersecurity experts have detected nearly 7 vulnerabilities in a very popular DNS software set that has been executed in routers and access points in every kind of business. 

We all know that Dnsmasq is very popular, and the experts have identified approximately 40 vendors whom they believe to use Dnsmasq in their products. Not only this, but they also use a very major Linux distribution.

According to the experts, the set of flaws has been dubbed as DNSpooq, which resides in Dnsmasq, the DNS forwarding client for UNIX-based operating systems.

DNSpooq

Dnsmasq is combined in the firmware of various network devices to implement DNS forwarding abilities by taking DNS requests that are made by all local users; later, the users forward the request to an upstream DNS server and capture all the results. 

However, all the same, results are accessible to other clients without the need for a new upstream DNS query. This software is found in the devices of firms such as Cisco, ZTE, Huawei, D-Link, among others.

Impact

The DNSpooq vulnerability set divides into 2 types of vulnerabilities, and here we have mentioned them below:-

  • DNS cache poisoning attacks: This is quite similar to the Kaminsky attack, but it is quite different in some aspects.
  • Buffer overflow vulnerabilities: This vulnerability could easily lead to remote code execution.

Vulnerabilities

FlawsCVSS
CVE-2020-256818.1
CVE-2020-256828.1
CVE-2020-256835.9
CVE-2020-256875.9
CVE-2020-256844
CVE-2020-256854
CVE-2020-256864

Affected vendors

  • A10 networks   
  • Aruba
  • Asus
  • AT&T
  • Audiocodes   
  • Belden
  • Buffalo Networks
  • Cisco
  • Comcast
  • Cross control   
  • D-Link
  • Dell
  • Digi international
  • General Electric
  • Google
  • Grandstream
  • Hirschmann
  • HPE
  • Huawei
  • IBM
  • Intellidesign
  • Juniper
  • Linksys
  • Motorola
  • Netgear
  • Openstack
  • Parrot
  • Peplink
  • Qualcomm
  • Raspberry
  • Red Lion Controls
  • Redhat
  • Ruckus
  • Siemens
  • Synology
  • Technicolor
  • Tesla
  • Teltonika
  • Ubiquiti Networks
  • Virtual Access
  • Volkswagen/ Harman
  • Xiaomi
  • ZTE
  • Zyxel

Attack Scenarios

There are several possible attack scenario, thus we have mentioned them below:

  • Open forwarders
  • Close network with internal attackers
  • Browser-based attacks
  • Open WiFi or wired networks

Mitigation

The experts asserted that there are several workarounds that exist, and all are documented in their professional whitepaper. But, the best way to mitigate is to update Dnsmasq to version 2.83 or above.

DNS poisoning flaws are not that difficult to remove, although their exploitation can be efficiently automated for the use of botnets, phishing programs, among other campaigns. 

Nearly 1 million Dnsmasq servers are being exposed on the Internet according to Shodan and over 630,000 according to BinaryEdge, with millions of other routers, VPNs, smartphones, tablets, infotainment systems, modems, access points, drones, and, but all the similar equipment are not accessible over the Internet also vulnerable to attacks.

The cybersecurity researchers have disclosed the flaws in August and publicly revealed them this month. Not only this, even these vulnerabilities are addressed in Dnsmasq 2.83; users of internet-of-things (IoT) and implanted the devices that use Dnsmasq. The experts also affirmed that they should contact their vendors for further data regarding updates.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.