Siemens announced Tuesday that its security researchers discovered and disclosed seven vulnerabilities known as DNSpooq in the DNS component open source software “Dnsmasq.” Of these three security vulnerabilities affect the validation of DNS responses, and affect several of Siemens’ SCALANCE and RUGGEDCOM devices.
The SCALANCE M-800 and S615 industrial routers are used to secure remote access to plants using mobile networks like GPRS or UMTS (Universal Mobile Telecommunications System) with integrated security functions of a firewall for protection against unauthorized access and VPN (virtual private network) to protect data transmission, according to a report from Siemens ProductCERT. To mitigate security risks, Siemens advises users to disable both these industrial routers from the DNS (domain name system) proxy in the device configuration, and configure the connected devices in the internal network to use a different DNS server, as the DNS proxy is enabled by default.
The SCALANCE SC-600 devices (SC622-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C) are used to protect trusted industrial networks from untrusted networks. They allow filtering incoming and outgoing network connections in different ways. Another affected product is Siemens’ RUGGEDCOM RM1224, which is a 4G router for wireless IP-communication from Ethernet based devices via LTE (4G)- mobile radio. It comes with the DNS proxy enabled by default.
As in the case of the SCALANCE M-800, for the SCALANCE SC-600 and RUGGEDCOM RM1224 equipment as well, Siemens urged its users to disable the industrial routers from the DNS proxy in the device configuration, and configure the connected devices in the internal network to use a different DNS server.
The SCALANCE W1750D controller-based Direct Access Points support radio transmission according to the latest IWLAN standard IEEE 802.11ac Wave 2. Siemens suggested that if the ‘OpenDNS’, ‘Captive Portal,’ or ‘URL redirection’ functionality is not used, then users were advised to deploy firewall rules in the device configuration to block incoming access to port 53/UDP.
Dnsmasq provides network infrastructure for small networks such as DNS, DHCP, router advertisement and network boot. It is designed to be lightweight, with a small footprint, and ideal for resource constrained routers and firewalls. Supported platforms include Linux (with glibc and uclibc), Android, BSD and Mac OS X. Dnsmasq is included in most Linux distributions and the port systems of FreeBSD, OpenBSD and NetBSD, while providing complete IPv6 support.
Dnspooq is a series of seven vulnerabilities found in the Dnsmasq software, which is used for caching of DNS responses, according to researchers at Israeli security firm JSOF. It stores responses to previously asked DNS queries locally and speeds up the DNS resolution process. The software is installed on many home and commercial routers and servers in many organizations.
The Dnspooq vulnerabilities can be triggered remotely using DNS and DHCP protocols, and can lead to remote code execution, information exposure, and denial of service, JSOF said. Some of them allow for DNS cache poisoning and one of the DNSpooq vulnerabilities could permit a potential remote code execution that could allow a takeover of many brands of home routers and other networking equipment. Thereby, increasing security risk as millions of devices get affected, and over a million instances directly exposed to the internet, it added.
Dnsmasq is used heavily by networking equipment, as well as being set up manually by IT personnel, usually in smaller networks, according to JSOF. There are other uses of Dnsmasq, such as providing DNS services to support Wi-Fi hot-spots, enterprise guest networks, virtualization, ad blocking, implementing a captive portal such as the login screen that appears when logging in to a network in an airport or other public location, and other use cases.
Carnegie Mellon University said that the Dnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against an unprotected environment.
The memory corruption vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure, and potentially remote code execution, Carnegie pointed out. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to arbitrary sites.
Siemens acknowledges the contribution made by Moshe Kol and Shlomi Oberman from JSOF for coordinated disclosure, and CERT Coordination Center (CERT/CC) and Industrial Control System Cyber Emergency Response Team (ICS-CERT) for their coordination efforts. The company is preparing updates and advises countermeasures for products where updates are not, or not yet available.
In May last year, Cisco announced that its Small Business RV Series routers had been affected by the Dnsmasq vulnerabilities, with users getting warning messages in the logs, almost every minute.
Siemens announced last week four new industrial control systems (ICS) security advisories, and updated multiple previously issued security advisories related to equipment deployed in the critical infrastructure sector. Several SCALANCE X switches used in critical manufacturing to connect industrial components like programmable logic controllers (PLCs) or human machine interfaces (HMIs) contain vulnerabilities in the web server of the affected devices, it said.