DNSpooq flaws allow DNS hijacking of millions of devices

Researchers from the JSOF research lab have uncovered a set of flaws in dnsmasq, popular open-source software used for caching Domain Name System (DNS) responses for home and commercial routers and servers.

The researchers have identified at least 40 top vendors who use dnsmasq in their products, including Cisco routers, Android phones, Aruba devices, Comcast, and Ubiquiti networks.

The DNSpooq vulnerability set divides into 2 types of vulnerabilities:

1. DNS cache poisoning attacks, similar to the Kaminsky attack, but different in some aspects.
2. Buffer overflow vulnerabilities that could lead to remote code execution.

Three of the flaws (CVE-2020-25686, CVE-2020-25684 and CVE-2020-25685) could enable DNS cache poisoning.

There is four buffer-overflow vulnerabilities (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 and CVE-2020-25681) in dnsmasq.

The DNS protocol has a history of vulnerabilities, a large part of the Internet still relies on DNS as a source of integrity, in the same way it has for over a decade, and is therefore exposed to attacks that can endanger the integrity of parts of the web.

The origin of the name DNSpooq is a merge of 3 elements: DNS spoofing, the idea of a spook spying on Internet traffic, and the ‘q’ at the end of dnsmasq, replacing the ‘k’ of spook with a ‘q’. The spy or spook graphic illustrates the effects of an effective DNS spoofing on the ability to spy on internet traffic.

In 2008, well-known security researcher Dan Kaminsky found and disclosed a fundamental flaw in the Internet naming scheme that affected the most common DNS software and the integrity of the way the Internet worked at the time. Kaminsky proved that attackers can impersonate any website name and steal data. (This has since become known as the “Kaminsky Attack”).

You can read the full report here – https://www.jsof-tech.com/disclosures/dnspooq/