Menu
What's new
By:
Filters Better Search

CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin

RMerlin

Asuswrt-Merlin dev
Two new CVEs were revealed related to DNSSEC support in dnsmasq. A specially crafted record can generate a DoS against dnsmasq, causing it to exhaust its resources.

While dnsmasq 2.90 was released with a fix, initial reports indicate that it causes other issues, breaking DNSSEC for some legitimate sites.

I intend to wait until more info can be gathered about these new issues, so in the meantime if you are worried about these two issues, I recommend disabling DNSSEC for now. Once more info (and a solution to the new issues) become available, I will look into updating to dnsmasq 2.90 for both 386 and 388. That will be a bit tricky for 388 since Asus has merged a mid-release version in the latest GPL, and I have no idea if it only contains pure dnsmasq code or if it also contains Asus-specific changes. I will need to walk through each commit one by one after 2.89 to determine at which commit Asus merged the upstream code.
 
For those of you using Pi-Hole, there is a new release, Pi-hole FTL v5.25, which updates the embedded version of dnsmasq to v2.90
 
You have to switch to the development branch to get this version correct? I don't see a version release of v5.25 yet.
 
bluzfanmr1 said:
You have to switch to the development branch to get this version correct? I don't see a version release of v5.25 yet.
Click to expand...
Don't think so, I just did "pihole -up" and it installed 5.25
 
alan6854321 said:
Don't think so, I just did "pihole -up" and it installed 5.25
Click to expand...
That works for me too. I did a "pihole -v" earlier and it didn't show the update being available on there or on the web interface. Thanks for the heads up!
 
dave14305 said:
OpenWrt hasn’t updated unbound yet, which is a prerequisite for Entware to update unbound. Martineau has no control.
Click to expand...
TIL.
thanks.
...wait: isn't entware @ryzhov_al 's purview?
 
Test builds with dnsmasq 2.90:

www.snbforums.com

Beta - Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)

Hi everyone, I've uploaded Asuswrt-merlin 3004.388.6_1 test builds that include dnsmasq 2.90 (which contains two security fixes related to DNSSEC). https://www.asuswrt-merlin.net/test-builds Please give these builds a try, both with and without DNSSEC enabled. Let me know if there are any...
www.snbforums.com www.snbforums.com
 
thelonelycoder said:
That's a busy channel to follow. And most of the posters write in Russian.
Click to expand...
I can read the cyrillic and can partially understand, but there’s also a translate bot.
 
This is affecting Pfsense also, so I switched to DNS forwarding instead of running unbound which I hope is a work around. I am waiting for an outcome as I am not sure what the attack is.
 
Here's what I'd like to know.
Reading some of the announcements of this issue, it sounds like it is an incoming DNSSEC request that is the trigger.
Nothing I run is open to the outside (limited to responding to my LAN only).
Where is the threat to my install?

I'm sure I'll patch this, just with my reading (which could be faulty), there is no particular rush to do so.
 
GHammer said:
Here's what I'd like to know.
Reading some of the announcements of this issue, it sounds like it is an incoming DNSSEC request that is the trigger.
Nothing I run is open to the outside (limited to responding to my LAN only).
Where is the threat to my install?

I'm sure I'll patch this, just with my reading (which could be faulty), there is no particular rush to do so.
Click to expand...
DNSSEC is a validation done when you do a DNS query. It`s not a connection.

The vulnerability is if you visit a website that contains an URL to a malicious domain, and that domain has a specially crafted DNS entry. When your dnsmasq will try to resolve that hostname, and check its DNSSEC signatures, it may be led into generating a bunch of additional queries, which leads to your device being DoS, eating up CPU.

Simplest way to mitigate pending a software update is to disable DNSSEC validation.
 
RMerlin said:
The vulnerability is if you visit a website that contains an URL to a malicious domain
Click to expand...

I see. I patch when patches are available, so just wondering what the real world user impact was.
Thanks
 
You must log in or register to reply here.

Similar threads

RMerlin
  • Locked
Release Asuswrt-Merlin 386.12_6 is now available for AC models
7 8 9
Replies
168
Views
15K
RMerlin
RMerlin
RMerlin
  • Locked
Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)
4 5 6
Replies
102
Views
14K
RMerlin
RMerlin
RMerlin
Release Asuswrt-Merlin 3004.388.6 is now available
36 37 38
Replies
757
Views
92K
allwise
A
RMerlin
  • Locked
Release Asuswrt-Merlin 388.2 is now available for select models
39 40 41
Replies
808
Views
120K
L&LD
L&LD
RMerlin
  • Locked
Beta Asuswrt-Merlin 388.2 Beta is now available for Wifi 6 models
25 26 27
Replies
539
Views
72K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
RMerlin Asuswrt-Merlin is NOT affected by CVE-2023-38545 Asuswrt-Merlin 11
T Merlin Firmware and CVE\Security Patches Asuswrt-Merlin 7
torstein "State of the router 2023"? Asuswrt-Merlin 2
B Router temperatures - 2023 Asuswrt-Merlin 44
B is AsusWRT-MERLIN 388.2_2 (dd 7 May 2023) affected by the security issues fixed in 3.0.0.4.386.51665 (dd 18 May 2023)? - RT-AX56U Asuswrt-Merlin 23
P RT-AX88U - 388.2_2 - Previously Working VPN Client (NordVPN) no longer functions - Suggestions for NordVPN Working Settings July 2023 Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 930 (members: 20, guests: 910)
Top