{"id":39197,"date":"2021-01-19T14:26:56","date_gmt":"2021-01-19T14:26:56","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/31943\/DNSpooq-Lets-Attackers-Poison-DNS-Cache-Records.html"},"modified":"2021-01-19T14:26:56","modified_gmt":"2021-01-19T14:26:56","slug":"dnspooq-lets-attackers-poison-dns-cache-records","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/dnspooq-lets-attackers-poison-dns-cache-records\/","title":{"rendered":"DNSpooq Lets Attackers Poison DNS Cache Records"},"content":{"rendered":"
\"dnsspooq-logo.png\"<\/span>
<\/span> Image: JSOF <\/span><\/figcaption><\/figure>\n

Security experts have disclosed today details about seven vulnerabilities impacting a popular DNS software package that is commonly deployed in networking equipment, such as routers and access points.<\/p>\n

The vulnerabilities tracked as DNSpooq<\/strong>, impact Dnsmasq<\/a>, a DNS forwarding client for *NIX-based operating systems.<\/p>\n

Dnsmasq is usually included inside the firmware of various networking devices to provide DNS forwarding capabilities by taking DNS requests made by local users, forwarding the request to an upstream DNS server, and then caching the results once they arrive, making the same results readily available for other clients without needing to make a new DNS query upstream.<\/p>\n

While their role seems banal and insignificant, they play a crucial role in accelerating internet speeds by avoiding recursive traffic.<\/p>\n

Today, the DNSpooq software has made its way in millions of devices sold worldwide, such as Cisco devices, Android smartphones, and all sorts of networking gear like routers, access points, firewalls, and VPNs from companies like ZTE, Aruba, Redhat, Belden, Ubiquiti, D-Link, Huawei, Linksys, Zyxel, Juniper, Netgear, HPE, IBM, Siemens, Xiaomi, and others.<\/p>\n

How DNSpooq works<\/h3>\n

The DNSpooq vulnerabilities, disclosed today by security experts from JSOF, are dangerous because they can be combined to poison DNS cache entries recorded by Dnsmasq servers.<\/p>\n

Poisoning DNS cache records is a big problem for network administrators because it allows attackers to redirect users to clones of legitimate websites.<\/p>\n

<\/section>\n

For example, if a threat actor can abuse a DNSpooq attack to poison DNS cache entries for gmail.com on a company’s Cisco router, they can redirect all that company’s employees to a Gmail phishing page while the browser shows the legitimate gmail.com address in their browsers.<\/p>\n

In total, seven DNSpooq vulnerabilities have been disclosed today. Four are buffer overflows in the Dnsmasq code that can lead to remote code execution scenarios, while the other three bugs allow DNS cache poisoning.<\/p>\n

\"dnspooq-cves.png\"<\/span>