Friday, October 15, 2021

DNSpooq allows attackers to poison DNS cache records

Must Read

NetWire and Remcos Trojan targeted US taxpayers

Investigators have analyzed an effective campaign targeted by US taxpayers to distribute both NetWire and Remcos Trojans.The tax season...

Europol: Beware Fake Dark Web COVID19 Vaccines

Since the UK starts preparations to set up a COVID-19 vaccine, law enforcers are warning of fake versions circulating...

Russia declines Microsoft claims of healthcare cyber attacks

Russia on Tuesday vehemently reduces claims by Microsoft that Russia was behind cyberattacks on businesses exploring coronavirus vaccines and...

Network administrators have requested that they use the latest Dnsmasq updates to prevent new DNSpooq attacks.

Security experts today revealed details about seven vulnerabilities affecting the most popular DNS software package in networking equipment, such as routers and access points.

Weaknesses followed as DNSpooq, impact on Dnsmasq, DNS transfer client for NIX applications.

Dnsmasq is often embedded in the firmware of various communication devices to enable DNS transmission by downloading DNS requests made by local users, transferring the application to a high-end DNS server, and storing the results upon arrival, making the same results easily accessible to other clients. without needing to create a new DNS query at the top.

While their role seems to be financially and insignificant, they play an important role in accelerating internet speed by avoiding duplication of traffic.

Today, DNSpooq software has accessed millions of devices sold worldwide, such as Cisco devices, Android smartphones, and all types of network gears such as routers, access points, firewalls, and VPNs from companies such as Aruba, Redhat, Technicolor, Ubiquiti, and others.

HOW DNSPOOQ WORKS

The vulnerability of DNSpooq, disclosed today by security experts from JSOF, is dangerous because it can be compromised by DNS embedded DNS servers recorded by Dnsmasq servers.

Poisoning DNS records cache is a major problem for network administrators because it allows attackers to redirect users to clones of official websites.

DNSpooq allows attackers to poison DNS cache records
Image:JSOF

For example, if a threatening character can abuse DNSpooq attacks by poisoning Dmail’s GNS-based DNS on the company’s Cisco router, they can redirect all company employees to the Gmail criminal page while the browser shows the official gmail.com address in their browsers.

In total, seven DNSpooq risks have been identified today. Four overflow buffers on Dnsmasq code could lead to remote coding conditions, while the other three bugs allow DNS cache poisoning.

Personally, the risks from each one are limited, but researchers say they can be combined to attack any device with older versions of Dnsmasq software.

Attacks can be easily made about Dnsmasq installs that are displayed directly online, but the JSOF team warns that devices on internal networks are also at risk of attackers transmit attack code through browsers or other (hosted) devices to the same network.

The attack may sound daunting, but in an interview with ZDNet on Monday, Shlomi Oberman, chief executive officer of JSOF, said the opposite was true.

“The vulnerability of DNSspooq cache poisoning is not difficult to remove and is a kind of weakness, in our opinion, that can be easily exploited and exploited by bottles, malvertisers, phishers, and that happy group,” Oberman said.

“The biggest challenge for someone who uses this is the high risk that they have a lot of noise so they will be seen by ISPs and other companies that are very visible on the internet,” said a JSOF official.

Oberman added that the attack also requires sending multiple DNS packets to the target device, which also takes a lot of time, and also requires the attackers to have access to adequate attack infrastructure.

However, these are not bizarre requirements, and the JSOF executor believes that DNSpooq attacks have reached both cybercriminal and national (APT) criminal gangs alike.

An easy way to prevent any of these attacks would be to use security updates that will be released later today by the Dnsmasq project.

However, many of these Dnsmasq DNS referral clients are embedded within the firmware of other products, where end-users cannot access and upgrade a single library.

Oberman, whose previous company also acquired, disclosed and helped cover the risks of the Ripple20 reaching far, taking the same approach this time around.

A JSOF manager told his company he had worked with Dnsmasq project authors and industry partners to make sure patches were available to devise dealers with today’s public disclosure.

“The disclosure process involves the creation of a designated safety and engineering team representing Cisco, Google, Red-Hat, Pi-Hole, CERT / CC, Simon Kelley (Dnsmasq maintainer), and JSOF,” Oberman said.

“The team was looking at how to document the risk, and how to contact it, and also suggested several different patches. Now there are patches available under the ban, both as a new version and as background dots,” he added.

CERT / CC and ICS-CERT also helped coordinate the exposure of DNSpooq attacks to other non-group vendors. While some retailers may be late in packing patches, many retailers are currently notified of the seven risks and their need to keep posting patches on all affected products.

END USERS HAVE THEIR COUNTERMEASURES

But for end-users, deciding which vendor to send patches for DNSpooq may be an impossibility, even for those with advanced technical skills.

Chasing CVE identifiers with seven DNSpooq threats to firmware changelogs devices is complicated even for security professionals and software engineers, not to mention the middle Joe.

Oberman says these users can protect themselves from dangerous DNSpooq devices on their network by using two methods.

“The best performance would be to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT),” Oberman said.

“Another option would be to statically configure a trusted DNS server, like Cloudflare or Google DNS servers, so that DNS requests are not handled by the home router and go directly to the [remote] DNS server.

Summary

DNSpooq is a series of vulnerabilities found in open-source software dnsmasq, indicating that DNS is still unsafe.

Some DNSpooq vulnerabilities allow DNS cache poisoning and other DNSpooq vulnerabilities may permit a potential Remote Code execution that could allow a takeover of many brands of home routers and other networking equipment, with millions of affected devices, and exposed to the Internet.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This