CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled

[RMerlin]

Two new CVEs were revealed related to DNSSEC support in dnsmasq. A specially crafted record can generate a DoS against dnsmasq, causing it to exhaust its resources.

While dnsmasq 2.90 was released with a fix, initial reports indicate that it causes other issues, breaking DNSSEC for some legitimate sites.

I intend to wait until more info can be gathered about these new issues, so in the meantime if you are worried about these two issues, I recommend disabling DNSSEC for now. Once more info (and a solution to the new issues) become available, I will look into updating to dnsmasq 2.90 for both 386 and 388. That will be a bit tricky for 388 since Asus has merged a mid-release version in the latest GPL, and I have no idea if it only contains pure dnsmasq code or if it also contains Asus-specific changes. I will need to walk through each commit one by one after 2.89 to determine at which commit Asus merged the upstream code.

 

[KrypteX]

@RMerlin Thanks for the info! Patiently waiting for an updated 386 release...

 

[alan6854321]

For those of you using Pi-Hole, there is a new release, Pi-hole FTL v5.25, which updates the embedded version of dnsmasq to v2.90

 

[bluzfanmr1]

You have to switch to the development branch to get this version correct? I don't see a version release of v5.25 yet.

 

[alan6854321]

You have to switch to the development branch to get this version correct? I don't see a version release of v5.25 yet.

Don't think so, I just did "pihole -up" and it installed 5.25

 

[bluzfanmr1]

Don't think so, I just did "pihole -up" and it installed 5.25

That works for me too. I did a "pihole -v" earlier and it didn't show the update being available on there or on the web interface. Thanks for the heads up!

 

[heysoundude]

Unbound has some exposure to this as well, iirc....which was patched yesterday
I guess there'll be an update for us shortly, @Martineau ?

 

[dave14305]

Unbound has some exposure to this as well, iirc....which was patched yesterday
I guess there'll be an update for us shortly, @Martineau ?

OpenWrt hasn’t updated unbound yet, which is a prerequisite for Entware to update unbound. Martineau has no control.

 

[heysoundude]

OpenWrt hasn’t updated unbound yet, which is a prerequisite for Entware to update unbound. Martineau has no control.

TIL.
thanks.
...wait: isn't entware @ryzhov_al 's purview?

 

[RMerlin]

Test builds with dnsmasq 2.90:

Beta - Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)

Hi everyone, I've uploaded Asuswrt-merlin 3004.388.6_1 test builds that include dnsmasq 2.90 (which contains two security fixes related to DNSSEC). https://www.asuswrt-merlin.net/test-builds Please give these builds a try, both with and without DNSSEC enabled. Let me know if there are any...

www.snbforums.com

 

[sfx2000]

Good background on the VULN - it's a 7.5 out of 10, so seriously worth fixing...

DNSSEC vulnerability puts big chunk of the internet at risk

'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge

www.theregister.com

 

[thelonelycoder]

TIL.
thanks.
...wait: isn't entware @ryzhov_al 's purview?

That’s the way.

 

[heysoundude]

That’s the way.

I've mentioned it on the entware Telegram...

 

[thelonelycoder]

I've mentioned it on the entware Telegram...

That's a busy channel to follow. And most of the posters write in Russian.

 

[Wisiwyg]

Don't think so, I just did "pihole -up" and it installed 5.25

Ditto...

 

[heysoundude]

That's a busy channel to follow. And most of the posters write in Russian.

I can read the cyrillic and can partially understand, but there’s also a translate bot.

 

[coxhaus]

This is affecting Pfsense also, so I switched to DNS forwarding instead of running unbound which I hope is a work around. I am waiting for an outcome as I am not sure what the attack is.

 

[GHammer]

Here's what I'd like to know.
Reading some of the announcements of this issue, it sounds like it is an incoming DNSSEC request that is the trigger.
Nothing I run is open to the outside (limited to responding to my LAN only).
Where is the threat to my install?

I'm sure I'll patch this, just with my reading (which could be faulty), there is no particular rush to do so.

 

[RMerlin]

Here's what I'd like to know.
Reading some of the announcements of this issue, it sounds like it is an incoming DNSSEC request that is the trigger.
Nothing I run is open to the outside (limited to responding to my LAN only).
Where is the threat to my install?

I'm sure I'll patch this, just with my reading (which could be faulty), there is no particular rush to do so.

DNSSEC is a validation done when you do a DNS query. It`s not a connection.

The vulnerability is if you visit a website that contains an URL to a malicious domain, and that domain has a specially crafted DNS entry. When your dnsmasq will try to resolve that hostname, and check its DNSSEC signatures, it may be led into generating a bunch of additional queries, which leads to your device being DoS, eating up CPU.

Simplest way to mitigate pending a software update is to disable DNSSEC validation.

 

[GHammer]

The vulnerability is if you visit a website that contains an URL to a malicious domain

I see. I patch when patches are available, so just wondering what the real world user impact was.
Thanks