Overview
Dnsmasq released a security advisory, dated January 19, 2021, disclosing details on multiple CVEs that can be triggered by a remote DNS response. The impacted dnsmasq versions are older than version 2.83. If successfully exploited by a malicious DNS server, these vulnerabilities lead to potential DNS cache-poisoning and in certain cases may lead to remote code execution (RCE).
Dnsmasq is a widely used open-source software providing DNS caching and other network services to lightweight devices, including Sophos RED. No other Sophos products are impacted by these vulnerabilities.
The DNSSEC feature is disabled on all versions of Sophos RED and the respective vulnerabilities are not applicable. However, dnsmasq is used for the split DNS functionality, which is susceptible to the cache poisoning attacks.
Applies to the following Sophos product(s) and version(s)
- Sophos RED
Remediation
- Updated Sophos RED firmware for XG Firewall available in SD-RED Firmware 3.0.004 Pattern Update
- Updated Sophos RED firmware for SG UTM available in Sophos UTM 9.7 MR6
- Additionally, Sophos recommends that customers upgrade to the latest available firmware releases
Related information
- http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686
- https://www.jsof-tech.com/disclosures/dnspooq/
Updates
- The potential impact on all Sophos RED versions is limited to only the cache poisoning vulnerabilities. The article has been updated accordingly.
- A previous version of this article falsely stated that dnsmasq 2.83 and older are affected. This has been corrected to older than dnsmasq 2.83. Sophos would like to thank Thorsten Sult for reporting this!
- The updated Sophos RED firmware for XG Firewall is available.
- The updated Sophos RED firmware for SG UTM is available.