Dnsmasq released a security advisory, dated January 19, 2021, disclosing details on multiple CVEs that can be triggered by a remote DNS response. The impacted dnsmasq versions are older than version 2.83. If successfully exploited by a malicious DNS server, these vulnerabilities lead to potential DNS cache-poisoning and in certain cases may lead to remote code execution (RCE).
Dnsmasq is a widely used open-source software providing DNS caching and other network services to lightweight devices, including Sophos RED. No other Sophos products are impacted by these vulnerabilities.
The DNSSEC feature is disabled on all versions of Sophos RED and the respective vulnerabilities are not applicable. However, dnsmasq is used for the split DNS functionality, which is susceptible to the cache poisoning attacks.
Sophos will update this advisory regularly until a remediation is available.