DNSPOOQ breaks dnsmasq allowing for cache poisoning, remote code execution and more

The JSOF research labs are reporting 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and we have identified approximately 40 vendors whom we believe use dnsmasq in their products, as well as major Linux distributions.

The DNS protocol has a history of vulnerabilities dating back to the famous 2008 Kaminsky attack. Nevertheless, a large part of the Internet still relies on DNS as a source of integrity, in the same way it has for over a decade, and is therefore exposed to attacks that can endanger the integrity of parts of the web.


The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast, and others listed below. Depending on how they use dnsmasq, devices may be more or less affected, or not affected at all.


The DNSpooq vulnerability set divides into 2 types of vulnerabilities:

  1. DNS cache poisoning attacks, similar to the Kaminsky attack, but different in some aspects.
  2. Buffer overflow vulnerabilities that could lead to remote code execution.


The DNSpooq cache poisoning vulnerabilities are labeled:
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685


These [buffer overflow] vulnerabilities are labeled:
CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681



Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft