libreCMC v1.5.4 : Cache Poisoning and RCE in dnsmasq CVE 2020-2568{1-7}

A critical security issue in dnsmasq that includes the possibility of a "...DNS cache poisoning attack by an off-path attacker..." [1] affects libreCMC v1.5.4. At this time, the project has recalled available images and advises users to use a configuration mitigation until a more permanent fix is available.

Configuration mitigation:

Over SSH:

From upstream [2]: Mitigation for DNS cache poisoning is disabling of caching:

uci set dhcp.@dnsmasq[0].cachesize='0'

Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:

uci set dhcp.@dnsmasq[0].dnssec='0'

It's recommended to reduce the maximum of queries allowed to be forwarded (default is 150):

uci set dhcp.@dnsmasq[0].dnsforwardmax='50'

Then you should commit changes and restart dnsmasq:

uci commit dhcp && /etc/init.d/dnsmasq restart

From the luci web-ui:

1. Login to the router

2. Navigate to : "Network" -> "DHCP and DNS"

3. Click the "Advanced Settings" tab

4. Find : "Max. concurrent queries" and set it to "50"

5. Find : "Size of DNS query cache" and set it to "0"

6. Scroll all the way to the bottom and click "Save & Apply"

Update package

While dnsmasq has been updated in the v1.5.4 package repository, it is advised not to use it because of issues with some IPv6 clients.

Updates

2021-01-25: libreCMC v1.5.4a images available with the applicable fixes for dnsmasq and a few other fixes from upstream 19.07.6 release. More info can be found on the v1.5.4a release notes page.

[1] DNSpooq : DNSpooq_Technical-Whitepaper.pdf

[2] Upstream dnsmasq thread