topic Re: Are the SMB devices vulnerable to DNSpooQ? in Spark Firewall (SMB)

Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Thu, 21 Jan 2021 15:25:11 GMT

1100/1400/1500 are using DNSmasq in version 2.78, which is vulnerable to DNSpooQ: https://www.jsof-tech.com/disclosures/dnspooq/

Could anybody confirm this? And if yes, when will there be a fix?

Re: Are the SMB devices vulnerable to DNSpooQ?

G_W_Albrecht — Thu, 21 Jan 2021 17:03:10 GMT

I can only find sk35484 Check Point response to DNS poisoning vulnerability CVE-2008-1447 stating:

On July 8, 2008 CERT announced a new DNS cache poisoning technique that exploits the fact that DNS servers send requests with non random source ports.

Check Point products are not vulnerable to this attack for the following reasons:

Check Point products do not implement DNS server functionality.

Re: Are the SMB devices vulnerable to DNSpooQ?

PhoneBoy — Thu, 21 Jan 2021 17:21:58 GMT

Possible we’ve patched this already, I’ll check.

Re: Are the SMB devices vulnerable to DNSpooQ?

John_Fleming — Thu, 21 Jan 2021 22:11:35 GMT

cough cough cough

[Expert@1500]# netstat -anp | grep dnsmasq
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 4190/dnsmasq
tcp 0 0 :::53 :::* LISTEN 4190/dnsmasq
udp 0 0 0.0.0.0:53 0.0.0.0:* 4190/dnsmasq
udp 0 0 :::53 :::* 4190/dnsmasq
unix 2 [ ] DGRAM 1861 4190/dnsmasq
[Expert@1500]#

Re: Are the SMB devices vulnerable to DNSpooQ?

PhoneBoy — Fri, 22 Jan 2021 00:18:31 GMT

That's an old SK that doesn't reference this particular issue.
In any case, we're not vulnerable because:

We don't use DNSSEC
We only use local zones and not registered ones

See: https://kb.cert.org/vuls/id/434904

Re: Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Fri, 22 Jan 2021 07:56:44 GMT

That is a different bug from 13 years ago.

Re: Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Fri, 22 Jan 2021 07:56:00 GMT

The second set of issues does not requie DNSSEC:

JSOF also reported vulnerabilities in DNS response validation that can result in DNS cache poisoning.

CVE-2020-25684: Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses
CVE-2020-25685: Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses
CVE-2020-25686: Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to perform a "Birthday Attack" scenario to forge replies and potentially poison the DNS cache

Seems like these one could be an issue.

Re: Are the SMB devices vulnerable to DNSpooQ?

G_W_Albrecht — Fri, 22 Jan 2021 08:06:56 GMT

I know - i can already read 8) and told you above i have only found something about the grandpa of these CVEs.

Re: Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Fri, 22 Jan 2021 08:11:53 GMT

Sure but once again, these are similar but really old.

Re: Are the SMB devices vulnerable to DNSpooQ?

PhoneBoy — Fri, 22 Jan 2021 08:31:31 GMT

To the best of my knowledge, we are not vulnerable to any of the issues mentioned.

Re: Are the SMB devices vulnerable to DNSpooQ?

G_W_Albrecht — Fri, 22 Jan 2021 08:44:47 GMT

Once again: I know. I have cited what i did find and not claimed to have found something about your issue. And i also know

sk35623: Hide NAT cancels DNS source port randomization.
sk35624: Preventing DNS cache poisoning when reusing source ports.

Re: Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Fri, 22 Jan 2021 09:35:47 GMT

Yes but unreletant bugs are not useful to answer the question 🙂

Re: Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Fri, 22 Jan 2021 09:37:18 GMT

Could you please check with R&D as the version on the appliance is 2.78 and the first unaffected is 2.83.

Thank you.

Re: Are the SMB devices vulnerable to DNSpooQ?

John_Fleming — Fri, 22 Jan 2021 13:48:43 GMT

Or you know since its GPL code you could give access to customers so they could see for themselves.

Re: Are the SMB devices vulnerable to DNSpooQ?

PhoneBoy — Fri, 29 Jan 2021 04:21:45 GMT

When we say “not vulnerable” that generally means one of two things:

We patched the vulnerable code already (often without updating the version)
Due to configuration/usage, it is not possible to exploit the vulnerability remotely.

I recommend a TAC case if you would like a more formal answer.

Re: Are the SMB devices vulnerable to DNSpooQ?

G_W_Albrecht — Sun, 24 Jan 2021 09:41:44 GMT

See for themselves ? How ? All customers i know of are absolutely GPL code blind 8). I would suggest that CP answers the question once for all instead.

Re: Are the SMB devices vulnerable to DNSpooQ?

G_W_Albrecht — Sun, 24 Jan 2021 09:45:04 GMT

Did you ever read these "unreletant" SKs ? Silently shaking my head...

Re: Are the SMB devices vulnerable to DNSpooQ?

PhoneBoy — Mon, 25 Jan 2021 07:43:54 GMT

We're all trying to help out.
Let's keep it friendly 🙂

Re: Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Tue, 26 Jan 2021 09:59:12 GMT

I opened a TAC case, let's see what they will answer.

Re: Are the SMB devices vulnerable to DNSpooQ?

Steffen_Appel — Tue, 26 Jan 2021 13:43:47 GMT

According to https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf, the SMB use -c 0 on dnsmasq and thereby disable the cache and avoid the attack by this