Researchers at JSOF have discovered seven distinct spoofing and buffer overflow vulnerabilities associated with DNSMasq, a popular free, open-source piece of software used in networking devices to cache and forward Domain Name System requests.
The DNS is often referred to as the “phonebook” of the internet and is used to match URLs (such as www.scworld.com) with their corresponding IP address. In a paper released Jan. 19, researchers from JSOF outline three DNS cache poisoning vulnerabilities and another four buffer overflow vulnerabilities they are collectively calling DNSpooq. Used individually or in tandem, the vulnerabilities allow a malicious actor to carry out a number of diverse attacks, such as spoofing popular websites, conducting denial of service attacks and in some cases performing remote code execution.
Shlomi Oberman, CEO and co-founder at JSOF, told SC Media that DNSmasq has become the default DNS forwarder for many Linux-based systems, routers and networking gear. While certain security protocols like HTTPS provide some protection against these attacks, they do not fully mitigate them. He said the newest version of DNSmasq was patched during the coordinated vulnerability disclosure period to address the flaws.
“It basically erodes the trust in the middleman between our computer and the internet, and being so common in the Linux ecosystem and being there for so many years it’s become common everywhere,” Oberman said, noting that they had thus far identified at least 40 vendors that use DNSmasq in their products, such as Comcast, Cisco, Android, Red Hat and others. Not all will be vulnerable to the suite of attacks, depending on their configuration.
The cache poisoning attack can be performed in minutes or even seconds, works on default versions of DNSmasq software and can be executed against instances open to the internet and local area networks across a range of potential victims. An attacker would be able to snoop on a user’s browsing activities or redirect them to fake versions of popular websites where they could be tricked into sharing their credentials or personal information. For public LANs, like those offered by coffee shops or hotels, a poisoned DNS cache could ensnare multiple users in their web and an attacker could potentially poison up to 10 different domains simultaneously.
The paper also floats a number of other attacks that have not been observed in the wild but are hypothetically possible, like injecting malicious JavaScript code into visiting browsers to carry out DDoS attacks and the potential for the vulnerabilities to be wormable across mobile networks.
The cache poisoning attacks are “quite strong in the sense that you can spoof many domains at once and you can spoof them for a very long time,” said Oberman.
Meanwhile, the buffer overflow vulnerabilities can affect instances of DNSmasq that are configured to use DNSSEC authentication. While three of the vulnerabilities can only be used to carry out denial of service attacks, one of them could potentially allow an attack to remotely execute code on a user’s device.
Oberman said larger organizations can protect themselves from these attacks and address a number of other security issues by hosting their own DNS server, while smaller organizations may look to use higher quality networking gear that have faster patching times.
Curtis Dukes, executive vice president and general manager for security best practices at the Center for Internet Security, told SC Media that DNS cache poisoning attacks remain “ubiquitous,” particularly as tools like HTTPS and DNSSEC are not fully adopted.
“DNS poisoning has long been a problem, [it’s] perhaps one of the most exploited vulnerabilities,” said Dukes.
However, he pointed out that five of the vulnerabilities in DNSpooq are listed by the Common Vulnerability Scoring System as moderate in severity, while the other two are listed as high.
“While it demands attention, it is not being scored as a critical vulnerability,” said Dukes. “As patches become available, you should prioritize based on data sensitivity and business operations criticality.”