What's new

CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin

Asuswrt-Merlin dev
Staff member
Two new CVEs were revealed related to DNSSEC support in dnsmasq. A specially crafted record can generate a DoS against dnsmasq, causing it to exhaust its resources.

While dnsmasq 2.90 was released with a fix, initial reports indicate that it causes other issues, breaking DNSSEC for some legitimate sites.

I intend to wait until more info can be gathered about these new issues, so in the meantime if you are worried about these two issues, I recommend disabling DNSSEC for now. Once more info (and a solution to the new issues) become available, I will look into updating to dnsmasq 2.90 for both 386 and 388. That will be a bit tricky for 388 since Asus has merged a mid-release version in the latest GPL, and I have no idea if it only contains pure dnsmasq code or if it also contains Asus-specific changes. I will need to walk through each commit one by one after 2.89 to determine at which commit Asus merged the upstream code.
 
For those of you using Pi-Hole, there is a new release, Pi-hole FTL v5.25, which updates the embedded version of dnsmasq to v2.90
 
You have to switch to the development branch to get this version correct? I don't see a version release of v5.25 yet.
 
You have to switch to the development branch to get this version correct? I don't see a version release of v5.25 yet.
Don't think so, I just did "pihole -up" and it installed 5.25
 
Don't think so, I just did "pihole -up" and it installed 5.25
That works for me too. I did a "pihole -v" earlier and it didn't show the update being available on there or on the web interface. Thanks for the heads up!
 
Test builds with dnsmasq 2.90:

 
This is affecting Pfsense also, so I switched to DNS forwarding instead of running unbound which I hope is a work around. I am waiting for an outcome as I am not sure what the attack is.
 
Here's what I'd like to know.
Reading some of the announcements of this issue, it sounds like it is an incoming DNSSEC request that is the trigger.
Nothing I run is open to the outside (limited to responding to my LAN only).
Where is the threat to my install?

I'm sure I'll patch this, just with my reading (which could be faulty), there is no particular rush to do so.
 
Here's what I'd like to know.
Reading some of the announcements of this issue, it sounds like it is an incoming DNSSEC request that is the trigger.
Nothing I run is open to the outside (limited to responding to my LAN only).
Where is the threat to my install?

I'm sure I'll patch this, just with my reading (which could be faulty), there is no particular rush to do so.
DNSSEC is a validation done when you do a DNS query. It`s not a connection.

The vulnerability is if you visit a website that contains an URL to a malicious domain, and that domain has a specially crafted DNS entry. When your dnsmasq will try to resolve that hostname, and check its DNSSEC signatures, it may be led into generating a bunch of additional queries, which leads to your device being DoS, eating up CPU.

Simplest way to mitigate pending a software update is to disable DNSSEC validation.
 
The vulnerability is if you visit a website that contains an URL to a malicious domain

I see. I patch when patches are available, so just wondering what the real world user impact was.
Thanks
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top