CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled

[TonyK132]

disable DNSSEC validation.

Is there an option in unbound to do this?

 

[bennor]

Is there an option in unbound to do this?

Unbound - Howto Turn Off DNSSEC

If you find yourself having problems while DNSSEC is configured and you have carefully assessed that the problems have to do with the validation, and have assessed you are not under attack, you may want to follow one of the following steps to disable DNSSEC. Please be warned, do not …

www.nlnetlabs.nl

 

[shabbs]

For those of you using Pi-Hole, there is a new release, Pi-hole FTL v5.25, which updates the embedded version of dnsmasq to v2.90

5.25.1 released a couple of days ago to address the "resource limit exceeded" messages...

Release Pi-hole FTL v5.25.1 · pi-hole/FTL

What's Changed Fix spurious "resource limit exceeded" messages (v5 backport) by @DL6ER in #1893 Full Changelog: v5.25...v5.25.1

github.com

 

[sfx2000]

Two new CVEs were revealed related to DNSSEC support in dnsmasq. A specially crafted record can generate a DoS against dnsmasq, causing it to exhaust its resources.

Should note that this is not just DNSMASQ, most of the other resolvers that support DNSSEC have the same issue...

Anyways, here's the relevant links to the disclosures/CVE's...

NVD - CVE-2023-50387

nvd.nist.gov

NVD - CVE-2023-50868

nvd.nist.gov

 

[TonyK132]

Unbound - Howto Turn Off DNSSEC

If you find yourself having problems while DNSSEC is configured and you have carefully assessed that the problems have to do with the validation, and have assessed you are not under attack, you may want to follow one of the following steps to disable DNSSEC. Please be warned, do not …

www.nlnetlabs.nl

I did option 3 by commenting that line in the config file. Is that the right thing to do?

#module-config: "respip validator iterator" # v1.08 add 'respip' for rpz feature @juched

 

[Damit1]

5.25.1 released a couple of days ago to address the "resource limit exceeded" messages...

Release Pi-hole FTL v5.25.1 · pi-hole/FTL

What's Changed Fix spurious "resource limit exceeded" messages (v5 backport) by @DL6ER in #1893 Full Changelog: v5.25...v5.25.1

github.com

@RMerlin FYI?

 

[shabbs]

@RMerlin FYI?

This is a pi-hole specific update... Eric's updated build has this this fix in it.

 

[RMerlin]

@RMerlin FYI?

I'm even ahead of FTL...

History for release/src/router/dnsmasq - RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - History for release/src/router/dnsmasq - RMerl/asuswrt-merlin.ng

github.com

 

[RMerlin]

3004.388.6_2 and 386.12_6 have been released, including the fixed dnsmasq version.

 

[sfx2000]

OpenWRT has merged in their fixes with an updated dnsmasq to v2.90 to Master - I suspect the next point release should include it.

commit 838a27f64f56e75aae98a3ab2556856224d48d8b
Author: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
Date:   Sun Feb 18 13:12:10 2024 +0000

    dnsmasq: version 2.90
    
    Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
    CVE-2023-50868) among many other goodies and fixes (notably, upstream
    568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
    dnsmasq in my deployment).
    
    Catch up our 200-ubus_dns.patch, too.
    
    Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>

 

[sfx2000]

OpenWRT has merged in their fixes with an updated dnsmasq to v2.90 to Master - I suspect the next point release should include it.

OpenWRT is important as both Mediatek and Qualcomm base their SDK's on OpenWRT.

The public Master has the fix checked in, and this, as I mentioned should be available on the Release Branch on their next release...

Remember that OpenWRT has to support a panoply of chipsets/SoC's and Architectures, so sometimes things might be delayed due to testing across those architectures...