Multiple flaws (7 CVEs) has been found in the dnsmasq package. Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues handling DNSSEC and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory which can lead to denial of service, information exposure and potentially remote code execution on the target device. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache resulting in redirection of users to malicious sites.
1. Configuration based mitigation via LuCI web interface
Max. concurrent queriesis
dnsforwardmax, so set it to recommended value of 50
Size of DNS query cacheis
cachesize, so disable the caching by setting it to value of 0
dnssec, so you need to disable it if enabled and available
2. Configuration based mitigation via commandline
Mitigation for DNS cache poisoning is disabling of caching:
uci set dhcp.@dnsmasq.cachesize='0'
Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:
uci set dhcp.@dnsmasq.dnssec='0'
It's recommended to reduce the maximum of queries allowed to be forwarded (default is 150):
uci set dhcp.@dnsmasq.dnsforwardmax='50'
Then you should commit changes and restart dnsmasq:
uci commit dhcp && /etc/init.d/dnsmasq restart
3. Package upgrade to fixed dnsmasq version
You need to update the affected dnsmasq package variant you're using with the
opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)
Then verify, that you're running fixed version.
opkg list-installed dnsmasq*
The above command should output following:
dnsmasq - 2.80-16.2for stable 19.07 release
dnsmasq - 2.83-1for master/snapshot