Overview

Dnsmasq released a security advisory, dated January 19, 2021, disclosing details on multiple CVEs that can be triggered by a remote DNS response. The impacted dnsmasq versions are older than version 2.83. If successfully exploited by a malicious DNS server, these vulnerabilities lead to potential DNS cache-poisoning and in certain cases may lead to remote code execution (RCE).

Dnsmasq is a widely used open-source software providing DNS caching and other network services to lightweight devices, including Sophos RED. No other Sophos products are impacted by these vulnerabilities.

The DNSSEC feature is disabled on all versions of Sophos RED and the respective vulnerabilities are not applicable. However, dnsmasq is used for the split DNS functionality, which is susceptible to the cache poisoning attacks.

Sophos will update this advisory regularly until a remediation is available.

Applies to the following Sophos product(s) and version(s)

• Sophos RED

Remediation

• Updated Sophos RED firmware for XG Firewall available in SD-RED Firmware 3.0.004 Pattern Update
• Updated Sophos RED firmware for SG UTM to be announced soon
• Additionally, Sophos recommends that customers upgrade to the latest available firmware releases

Related information

• http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686
• https://www.jsof-tech.com/disclosures/dnspooq/

Updates

• The potential impact on all Sophos RED versions is limited to only the cache poisoning vulnerabilities. The article has been updated accordingly.
• A previous version of this article falsely stated that dnsmasq 2.83 and older are affected. This has been corrected to older than dnsmasq 2.83. Sophos would like to thank Thorsten Sult for reporting this!
• The updated Sophos RED firmware for XG Firewall is available.