Monday, October 19, 2020

LAN side DoS attack?

Hi all. I could really use some help please?

We have been experiencing a strange issue with a whole bunch of remote sites. Starting quite suddenly we've had a bunch or routers losing the ability do resolve DNS. On further inspection and troubleshooting we've determined that DNSMasq crashes.

The vendor for these routers released a new firmware version after remote troubleshooting. This firmware version seems to address this issue but the explanation that we received makes little sense (to me at least). They allege that "the root cause is from LAN side DoS attack" but can't/won't provide proof of the root cause.

The device in question is an entry level router. Our company logged a ticket last year due to the DNSMasq included in the firmware being outdated. The vendor released a new firmware updating the version to 2.78. I however suspect that the implementation was not done/done incorrectly, as the below symptoms describe the issues we've been experiencing 100%:

  • Fix heap overflow in DNS code. This is a potentially serious security hole. It allows an attacker who can make DNS requests to dnsmasq, and who controls the contents of a domain, which is thereby queried, to overflow (by 2 bytes) a heap buffer and either crash, or even take control of, dnsmasq. CVE-2017-14491 applies.
  • Fix out-of-memory Dos vulnerability. An attacker which can send malicious DNS queries to dnsmasq can trigger memory allocations in the add_pseudoheader function The allocated memory is never freed which leads to a DoS through memory exhaustion. dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet. CVE-2017-14495 applies.
  • Fix DoS in DNS. Invalid boundary checks in the add_pseudoheader function allows a memcpy call with negative size An attacker which can send malicious DNS queries to dnsmasq can trigger a DoS remotely. dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet. CVE-2017-14496 applies.

Is it possible that the firmware reports version 2.78 in use, but actually does not?

Is there perhaps a DNSMasq module in the Linux kernel that wasn't updated? If yes, will I be able to check if I can get shell access?

Thanks in advance for any assistance/pointers!



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)