Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0231 Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021 20 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-25687 CVE-2020-25686 CVE-2020-25685 CVE-2020-25684 CVE-2020-25683 CVE-2020-25682 CVE-2020-25681 Reference: ESB-2021.0219 ESB-2021.0218 ESB-2021.0217 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnsmasq-dns-2021-c5mrdf3g - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products: January 2021 Medium Advisory ID: cisco-sa-dnsmasq-dns-2021-c5mrdf3g First Published: 2021 January 19 12:15 GMT Version 1.0: Interim Workarounds: No workarounds available Cisco Bug IDs: CSCvv83754 CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687 Summary o A set of previously unknown vulnerabilities in the DNS forwarder implementation of dnsmasq were disclosed on January 19, 2021. The vulnerabilities are collectively known as DNSpooq. Exploitation of these vulnerabilities could result in remote code execution or denial of service (DoS), or may allow an attacker to more easily forge DNS answers that can poison DNS caches, depending on the specific vulnerability. Multiple Cisco products are affected by these vulnerabilities. Cisco will release software updates that address these vulnerabilities. Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Note: At the time of publication, no Cisco products were found to be affected by the remote code execution and DoS vulnerabilities, which are identified by the following Common Vulnerabilities and Exposures (CVE) IDs: ? CVE-2020-25681 ? CVE-2020-25682 ? CVE-2020-25683 ? CVE-2020-25687 This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-dnsmasq-dns-2021-c5mrdf3g Affected Products o Cisco investigated its product line to determine which products may be affected by these vulnerabilities. The Vulnerable Products section includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases. Any product or service not listed in Vulnerable Products section of this advisory is to be considered not vulnerable. Vulnerable Products For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. At the time of this investigation, no Cisco products have been found to be affected by the remote code execution and DoS vulnerabilities. Multiple Cisco products have been found to be susceptible to DNS cache poisoning attacks. The following table lists Cisco products that have been found to be susceptible to DNS cache poisoning attacks. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details. Product Cisco Bug Fixed Release ID Availability Network Management and Provisioning 8.10MR5 (Feb 2021) 8.5MR7 (Feb 2021) Cisco Aironet 1560 Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) Cisco Aironet 1810 Series OfficeExtend 8.5MR7 (Feb 2021) Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) 8.5MR7 (Feb 2021) Cisco Aironet 1810w Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) 8.5MR7 (Feb 2021) Cisco Aironet 1815 Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) 8.5MR7 (Feb 2021) Cisco Aironet 1830 Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) 8.5MR7 (Feb 2021) Cisco Aironet 1850 Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) 8.5MR7 (Feb 2021) Cisco Aironet 2800 Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) 8.5MR7 (Feb 2021) Cisco Aironet 3800 Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) Cisco Aironet 4800 Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) Cisco Business 100 Series Access Points CSCvv83754 10.4.1.0 (Feb 2021) Cisco Business 200 Series Access Points CSCvv83754 10.4.1.0 (Feb 2021) 8.10MR5 (Feb 2021) Cisco Catalyst 9100 Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) Cisco Catalyst IW 6300 Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) 8.10MR5 (Feb 2021) Cisco ESW6300 Series Access Points CSCvv83754 16.12.5 (Feb 2021) 17.3.3 (Feb 2021) 17.5.1 (Mar 2021) Cisco Policy Suite CSCvv83241 21.1.0 (Jan 2021) Routing and Switching - Enterprise and Service Provider Cisco 1000 Series Connected Grid Routers CSCvv84554 (CGR1000 compute module) Cisco IR800 Integrated Services Router CSCvv84553 (Guest OS) Cisco Wireless Gateway for LoRaWAN CSCvw00914 2.1.0.3 (Mar 2021) Meraki Products Cisco Meraki MR (all models) N/A MR 27 firmware 27.5.1 or later MS 12 firmware 12.28 Cisco Meraki MS (all models) N/A or later MS 14 firmware 14.11 or later Cisco Meraki MV (all models) N/A MV 4 firmware 4.8 or later MX 14 firmware 14.53 Cisco Meraki MX (all models) N/A or later MX 15 firmware 15.41 or later Firmware 14.53 or Cisco Meraki Z-Series (all models) N/A later Firmware 15.41 or later Routing and Switching - Small Business Cisco RV042 Dual WAN VPN Router CSCvv83789 None planned Cisco RV042G Dual Gigabit WAN VPN Router CSCvv83789 None planned Cisco RV160x VPN Router CSCvv83787 Cisco RV260x VPN Router CSCvv83788 Cisco RV340W Dual WAN Gigabit Wireless-AC CSCvv83239 VPN Router Cisco Small Business RV Series RV110W CSCvv83235 None planned Wireless-N VPN Firewall Cisco Small Business RV Series RV215W CSCvv83237 None planned Wireless-N VPN Router Cisco Small Business RV Series RV320 Dual CSCvv83238 Gigabit WAN VPN Router Cisco Small Business RV Series RV325 Dual CSCvv83816 None planned WAN VPN Router Cisco Small Business RV130 Series VPN CSCvv83791 None planned Routers Cisco Small Business RV130 VPN Router CSCvv83236 None planned Unified Computing Cisco Enterprise NFV Infrastructure CSCvw00975 Software (NFVIS) Voice and Unified Communications Devices Cisco IP Conference Phone 7832 CSCvv83246 Cisco IP Conference Phone 8832 CSCvv83250 Cisco IP Phone 6800 Series with CSCvv83248 Multiplatform Firmware Cisco IP Phone 6821 with Multiplatform CSCvw00982 Firmware Cisco IP Phone 7800 Series with CSCvv83243 Multiplatform Firmware Cisco IP Phone 7800 Series CSCvv83249 Cisco IP Phone 8800 Series with CSCvv83242 Multiplatform Firmware Cisco IP Phone 8865 CSCvv83245 Release no. TBD (Mar 2021) Cisco SPA112 2-Port Phone Adapter CSCvv83234 None planned Cisco SPA122 Analog Telephone Adapter (ATA) CSCvv83234 None planned with Router Cisco SPA232D Multi-Line DECT Analog CSCvv83234 None planned Telephone Adapter (ATA) Cisco Unified IP Phone 9951 CSCvv83247 None planned Cisco Unified IP Phone 9971 CSCvv83247 None planned Cisco Wireless IP Phone 8821 CSCvw00918 Video, Streaming, TelePresence, and Transcoding Devices Cisco Expressway Series CSCvv83227 X12.7.1 (Feb 2021) Cisco TelePresence Video Communication CSCvv83227 X12.7.1 (Feb 2021) Server (VCS) Cisco Cloud Hosted Services Cisco IP Phone 6800 Series CSCvw01205 Cisco Spark Calling CSCvw00907 X12.7.1 (Feb 2021) Cisco Webex Teams (formerly Cisco Spark) CSCvv83214 None planned Webex Room Phone CSCvv87082 Products Under Investigation Routing and Switching - Enterprise and Service Provider ? Cisco IOS XE Software Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco products that do not offer DNS server capabilities are not affected by these vulnerabilities. At the time of publication, no Cisco products were found to be affected by the vulnerabilities identified by the following Common Vulnerabilities and Exposures (CVE) IDs: ? CVE-2020-25681 ? CVE-2020-25682 ? CVE-2020-25683 ? CVE-2020-25687 Details o Remote Code Execution and Denial of Service Vulnerabilities Multiple vulnerabilities in the DNSSEC implementation of dnsmasq could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device. The vulnerabilities are due to improper memory management when the affected software processes DNS packets with DNSSEC data. An attacker could exploit these vulnerabilities by sending malicious DNS packets to be processed by the affected device. When these packets are processed, an exploitable overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the underlying dnsmasq software or cause DoS condition on the affected device. These vulnerabilities affect dnsmasq installations that match all of the following criteria: ? Include a vulnerable release of dnsmasq ? Capable of acting as a DNS server ? Capable of validating DNSSEC data These vulnerabilities have been assigned the following CVE IDs: ? CVE-2020-25681 ? CVE-2020-25682 ? CVE-2020-25683 ? CVE-2020-25687 At the time of this investigation, no Cisco products have been found to be affected by these vulnerabilities. DNS Cache Poisoning Attacks Multiple weaknesses in the DNS server functionality of dnsmasq could allow an unauthenticated, remote attacker to more easily forge DNS answers that can poison DNS caches. Each weakness results in dnsmasq accepting DNS answers based on checks that are performed on an amount of entropy that is lower than what is mandated by RFC 5452. The combination of these weaknesses would allow an attacker to mount a successful DNS cache poisoning attack with low traffic requirements. These weaknesses affect dnsmasq installations that match all of the following criteria: ? Include a vulnerable release of dnsmasq ? Capable of acting as a DNS server ? Capable of caching DNS responses These weaknesses have been assigned the following CVE IDs: ? CVE-2020-25684 ? CVE-2020-25685 ? CVE-2020-25686 Multiple Cisco products have been found to be susceptible to DNS cache poisoning attacks. Workarounds o Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Fixed Software o For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory. Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. Source o Cisco would like to thank Moshe Kol and Shlomi Oberman of JSOF for reporting these vulnerabilities, which were investigated and disclosed under the coordination of CERT/CC. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-dnsmasq-dns-2021-c5mrdf3g Revision History o +----------+----------------------------+----------+----------+---------------+ | Version | Description | Section | Status | Date | +----------+----------------------------+----------+----------+---------------+ | 1.0 | Initial public release. | -- | Interim | 2021-JAN-19 | +----------+----------------------------+----------+----------+---------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYAecDuNLKJtyKPYoAQi5ow//bXzERGEVQg/HhDSH6Ead7UEPUBp/vwUt xS0fo5jIiVkb/mfW4KmYhxXdRgTU/mkg52Vpf/uK8AJTxUWxhiGOqNLpB6UGfw+z bbcd1zDu5NEjNTLhiaW0cdAkQirIaFjhxkecvf+CjNHbAHfV/pwizyJhDHIJM8xx cTIuoHS4Qi5uh8J22dbV4Rh8trAqH6ZW5q5O+dhCyr2ovs57cQF5yecU2R+Wm2NA erlQ0lV4d/ll7YlQNFK4AkXNgoZX1+SLIZMYzZwomj+ObIdj9QNuCM3DqtVT5mVr oaNuTqN3hGC9+aDFECj21Wx+1o/ubLw3nHaIRA394SHjCu+H7HNY5Y1ZXsiqhVmz bqLscWvPFFo5+2qbcrSgDb64YmB8OCj4aeyQgQw55nCXU4D252RXpw62gPfopM2H NnUl5qMx29KPF6nUNYvkgwj6Pe1G4SfqRBStBQDz+UoVb0AFN6duENZeCvBEBcLK JiPeQFAqHWRDBge8TsYASVPL+edCj6SuxHJczvKbYOdEZJGySztdnerzk9YkpRX5 LVM6XvO9xvOp+p75WF7x/63RlO2W/z23sNCKHTlpuVKVPrZIrKz40mW+y/DgrVGV KViJ5Ue7UHm+N9Y7yKeEYQm2eA8qUKZsxblMvtRHizZxIJ7tRwYCkWwyAqsWzH1U aoJQiJQ9dzA= =KSFG -----END PGP SIGNATURE-----