Open-Source Vulnerabilities Continue with Dnsmasq

Posted inConfiguration, Security, Vulnerability

Recently, researchers announced a vulnerability discovered in dnsmasq. Anything your company uses that is open-source must be reviewed for security and configuration problems.

Open-source tools are a huge resource for developers, engineers, DevOps teams, designers, architects, anyone who touches code. We’ve talked in the past about how all open-source code should be reviewed, especially after a string of malware was found in npm libraries. While the latest discovery isn’t an attack or a string of malicious code, it’s still a vulnerability in an open-source platform. This time, researchers uncovered seven flaws in dnsmasq, an open-source software program used for caching DNS responses for home and commercial routers and servers.

The discovered vulnerabilities have been named “DNSpooq” by researchers, combining the DNS spoofing and the “q” at the end of dnsmasq, plus adding the concept of a “spook” spying on internet traffic. According to Threat Post, “The set of even flaws are comprised of buffer overflow issues and flaws allowing for DNS cache-poisoning attacks (also known as DNS spoofing). If exploited, these flaws could be chained together to allow remote code execution, denial of service and other attacks.”

Dnsmasq is widely popular, used on many home and commercial routers. So far, there have been at least 40 vendors identified which use dnsmasq in their products. Cisco routers. Android phones. Aruba devices. Technicolor, Red Hat, Siemens and more. Researchers believe there to be “millions” of devices affected.

“DNSpooq is a series of vulnerabilities found in the ubiquitous open-source software dnsmasq, demonstrating that DNS is still insecure, 13 years after the last major attack was described,” said researchers with the JSOF research lab, in a recent analysis.

While the flaws have varying degrees of severity, if chained together, they could lead to a variety of multi-stage attacks.

“This is because exploiting some of the vulnerabilities makes it easier to exploit others,” said researchers. “For example, we found that combining CVE-2020-25682, CVE-2020-25684, and CVE-2020-25685 would result in CVE-2020-25682 having a lower attack complexity (with the same impact) and result in a combined CVSS of 9.8 according to our analysis.”

This information was disclosed in August, but only publicly announced this month. Several companies are working together to find and employ a fix that is well-documented and communicated to anyone or any company using an affected device.

One, always review anything open-sourced. Open-source platforms are a fabulous place for programmers and developers and coders to find answers to problems they have been unable to fix, or it’s a place they know they can go find code that fits whatever project they are addressing. But it’s also a place that threat actors can go and manipulate things to cause a problem. That is not what happened here, this is a configuration issue, with dnsmasq as the at-fault party. Nothing bad has happened with this information. Yet. But it points to why anything external has to be reviewed for security and configuration.

The second point to make is that users of this service need to not only follow the appropriate threads for updates on mitigation, but they also need to make sure that the fix is made as soon as possible. A configuration problem that creates a weakness, especially one that is now known, is like lighting a Christmas tree in the dark. It’s going to attract attention, only that attention isn’t going to be the “Oooh’s” and “Aaah’s” of something beautiful. It’s going to attract the kind of attention that makes security teams swear like sailors as they scramble to stop whatever is happening.

Knowing about the vulnerability isn’t enough. It’s only the first step. Once you know about it, you have to mitigate. Then, when the fix is ready, you must deploy the patch, install the fix, whatever remediation is given has to be applied immediately. Security is a major concern for businesses worldwide, especially those who raced through digital transformation and couldn’t keep security tight along the way. Don’t wait until later.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY