Threat Intel: DNSpooq--7 New dnsmasq Vulnerabilities Discovered

7 vulnerabilities can combine to execute multi-stage attacks
Cynerio
Jan 20, 2021

Vulnerability Information

JSOF disclosed DNSpooq, a new group of vulnerabilities (CVE-2020-25681-7) with a CVSS v3 base score of 8.1, on January 19, 2021. The vulnerabilities were discovered in dnsmasq, an open-source DNS caching software found in myriad IoT and network infrastructure devices, and DHCP server, versions 2.8.2 and earlier. 

The new vulnerabilities can result in cache poisoning and buffer overflows.                                                       

DNSpooq’s Impact on Healthcare

The combination of these vulnerabilities can result in compromised PHI and clinical workflows.

Cache poisoning attack (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) 

Achieved using a Man in the Middle (MITM)  attack—A threat actor launches a MITM attack to send a user to an attacker-controlled address.

Example: A device regularly sends logs to its vendor. The MITM attack reroutes the communication and tricks the machine into connecting to a spoof server at an attacker-controlled address, enabling the attacker to exfiltrate data and read logs, ultimately compromising ePHI.

Cache poisoning can also happen on dnsmasq servers configured to listen to internal network traffic if the network is open.

Buffer overflow attack (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681)

Most buffer overflow vulnerabilities are pretty innocuous, but if affected devices are configured to use DNSSEC, buffer overflow can be and combined with cache poisoning to:

  • Enable remote code execution—Threat actors can take control of a machine’s memory and change its behavior, effectively compromising the physical functionality of a device, or falsifying patient data stored and sent by the device
  • Denial-of-service—Threat actors can compromise the network by denying service, disrupting clinical workflow. 

Devices that don’t use DNSSEC will not be at risk for buffer overflow and remote code execution attacks. Devices that do use the feature should update to the latest dnsmasq version, since it was designed to prevent cache poisoning.

Affected Devices

The dnsmasq software is found in a myriad of devices, with emphasis on Linux machines where dnsmasq is installed by default, and scores of networking products from a variety of vendors, including:

  • Cisco 
  • Aruba
  • GE
  • Netgear
  • Android (Google)
  • Siemens
  • Comcast
  • Ubiquiti
  • Synergy

What Can Healthcare Facilities Do to Mitigate the Threat?

  1. Update all devices with dnsmasq to the latest version (2.83 and above)
  2. Lower the number of maximum queries allowed to be forwarded
  3. Temporarily disable DNSSEC validation until devices are patched
  4. Prohibit dnsmasq from listening to WAN interfaces if not required
  5. Switch to DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) for upstream server connections

How Can Cynerio Help?

Although these vulnerabilities aren’t medical-device specific, they affect ubiquitous IT and network infrastructure products that can serve as a bridgehead into the wider network. Cynerio’s automated solutions can help quickly identify devices running the dnsmasq software and expedite the application of compensating controls. 

Some Helpful Resources

  1. DNSpooq White Paper
  2. ICS Advisory (ICSA-21-019-01) - Dnsmasq by Simon Kelley
  3. Information from HelpNetSecurity 

Keep your finger on the pulse of Healthcare IoT security