Security Experts:

Connect with us

Hi, what are you looking for?



DNSpooq Flaws Expose Millions of Devices to DNS Cache Poisoning, Other Attacks

Researchers at Israel-based boutique cybersecurity consultancy JSOF this week disclosed the details of seven potentially serious DNS-related vulnerabilities that could expose millions of devices to various types of attacks.

Researchers at Israel-based boutique cybersecurity consultancy JSOF this week disclosed the details of seven potentially serious DNS-related vulnerabilities that could expose millions of devices to various types of attacks.

The vulnerabilities, collectively tracked as DNSpooq, impact Dnsmasq, a widely used piece of open source software designed to provide DNS, DHCP, router advertisement and network boot capabilities for small networks. Its DNS subsystem “provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types.”

The software is mainly written and maintained by Simon Kelley, who has informed users about the availability of patches. The vulnerability disclosure process began in August 2020 and several impacted vendors told customers that they are working on address the issues.DNSpooq

There are two types of DNSpooq vulnerabilities: buffer overflow bugs that can lead to remote code execution and DoS attacks (tracked as CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687); and DNS response validation issues that can be exploited for DNS cache poisoning (tracked as CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686).

The buffer overflow bugs, JSOF said, pose a limited risk on their own, but they can be highly useful if combined with the flaws that allow cache poisoning.

Launching a DNS cache poisoning attack against a device can allow an attacker to redirect users to arbitrary websites, and intercept traffic associated with email, SSH, remote desktop, communications and other types of systems. An attacker could also take complete control of a targeted device using the DNSpooq vulnerabilities.

“Combining the vulnerabilities found by JSOF with other recently-disclosed network attacks could potentially lead to much easier and more widespread attack possibilities, an area of research which can be explored further,” JSOF said. “This includes vulnerabilities such as NAT-slipstreaming, found by Samy Kamkar, SAD DNS, found by researchers at University of California Riverside, and the lack of destination-side source address validation as found by researchers at Brigham Young University, as well as other academic research on DNS.”

According to JSOF, malicious actors could easily exploit the DNSpooq vulnerabilities directly from the internet as there are roughly one million Dnsmasq servers exposed to the web. The flaws can also be exploited by an attacker who is on the same network as the targeted system, or through web browsers. However, JSOF noted that browser-based attacks are not easy to conduct and they only work against some browsers — exploitation has been confirmed to work against Safari on an iPhone, but it does not appear to work against Chrome.

Red Hat explained that DNS cache poisoning attacks can be conducted against clients that use Dnsmasq as a DNS server, and involves providing them incorrect name resolutions for poisoned entries. Exploitation of the memory corruption bugs involves “the collaboration of a dnsmasq client or other ways to make a client start a series of DNS queries to dnsmasq for an attacker-controlled domain.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to warn organizations about the risks posed by the DNSpooq vulnerabilities.

Vendor response

An advisory issued on Tuesday by the CERT Coordination Center at Carnegie Mellon University lists hundreds of vendors that may be impacted, and over a dozen companies have confirmed that — at least to some extent — their products are affected.

Sophos has published an advisory informing customers that the vulnerabilities only appear to impact its Sophos Remote Ethernet Device (RED) appliance.

Cisco has released a long list of products impacted by the security flaws and says it’s working on developing patches. The networking giant noted that none of its products are affected by the memory corruption bugs that can lead to remote code execution and DoS attacks.

Siemens, on the other hand, says its SCALANCE and RUGGEDCOM industrial devices are impacted only by the three security holes that can be exploited for DNS cache poisoning. The German industrial giant is working on patches and, in the meantime, it has shared some workarounds and mitigations.

The OpenWrt Project, the developer of the popular Linux operating system for embedded devices, also issued an advisory, telling users that OpenWrt versions 19.07.0 through 19.07.5 are affected. Fixes will be included in the upcoming 19.07.6 release.

Red Hat says the vulnerabilities impact Red Hat Enterprise Linux 8 (non-default configuration), as well as Enterprise Linux 6, 7 and 8. Red Hat OpenStack Platform 10 and 13, and Red Hat Virtualization 4.3 and 4.4 may also be affected.

Ubuntu and SUSE have also released advisories.

Related: Critical, Wormable Bug in Windows DNS Servers Could Allow Full Infrastructure Compromise

Related: NXNSAttack: New DNS Vulnerability Allows Big DDoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.