A set of previously unknown vulnerabilities in the DNS forwarder implementation of dnsmasq were disclosed on January 19, 2021. The vulnerabilities are collectively known as DNSpooq. Exploitation of these vulnerabilities could result in remote code execution or denial of service (DoS), or may allow an attacker to more easily forge DNS answers that can poison DNS caches, depending on the specific vulnerability. Multiple Cisco products are affected by these vulnerabilities. Cisco will release software updates that address these vulnerabilities. Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Note: At the time of publication, no Cisco products were found to be affected by the remote code execution and DoS vulnerabilities, which are identified by the following Common Vulnerabilities and Exposures (CVE) IDs: CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnsmasq-dns-2021-c5mrdf3g
A set of previously unknown vulnerabilities in the DNS forwarder implementation of dnsmasq were disclosed on January 19, 2021. The vulnerabilities are collectively known as DNSpooq.
Exploitation of these vulnerabilities could result in remote code execution or denial of service (DoS), or may allow an attacker to more easily forge DNS answers that can poison DNS caches, depending on the specific vulnerability.
Multiple Cisco products are affected by these vulnerabilities.
Cisco will release software updates that address these vulnerabilities. Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of this advisory.
Note: At the time of publication, no Cisco products were found to be affected by the remote code execution and DoS vulnerabilities, which are identified by the following Common Vulnerabilities and Exposures (CVE) IDs:
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnsmasq-dns-2021-c5mrdf3g
Cisco investigated its product line to determine which products may be affected by these vulnerabilities.
The Vulnerable Products section includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Any product or service not listed in Vulnerable Products section of this advisory is to be considered not vulnerable.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
At the time of this investigation, no Cisco products have been found to be affected by the remote code execution and DoS vulnerabilities.
Multiple Cisco products have been found to be susceptible to DNS cache poisoning attacks. The following table lists Cisco products that have been found to be susceptible to DNS cache poisoning attacks.
If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.
| Product | Cisco Bug ID | Fixed Release Availability |
|---|---|---|
| Network Management and Provisioning | ||
| Cisco Aironet 1560 Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 1810 Series OfficeExtend Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 1810w Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 1815 Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 1830 Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 1850 Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 2800 Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 3800 Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Aironet 4800 Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 8.5.171.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Business 100 Series Access Points | CSCvv83754 | 10.4.1.0 (Mar 2021) |
| Cisco Business 200 Series Access Points | CSCvv83754 | 10.4.1.0 (Mar 2021) |
| Cisco Catalyst 9100 Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Catalyst IW6300 Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco ESW6300 Series Access Points | CSCvv83754 | Wireless LAN Controller: 8.10.151.0 Catalyst 9800 Wireless Controller: 16.12.5 17.3.3 17.5.1 (Mar 2021) |
| Cisco Policy Suite | CSCvv83241 | 21.1.0 |
| Routing and Switching - Enterprise and Service Provider | ||
| Cisco 1000 Series Connected Grid Routers (CGR1000 compute module) | CSCvv84554 | 15.9(3)M4 (Jul 2021) |
| Cisco IR800 Integrated Services Router (Guest OS) | CSCvv84553 | 15.9(3)M4 (Jul 2021) |
| Cisco Wireless Gateway for LoRaWAN | CSCvw00914 | 2.1.0.3 (Mar 2021) |
| Meraki Products | ||
| Cisco Meraki MR (all models) | N/A | Release no. TBD (Aug 2021) |
| Cisco Meraki MS (all models) | N/A | Release no. TBD (Aug 2021) |
| Cisco Meraki MV (all models) | N/A | Release no. TBD (Aug 2021) |
| Cisco Meraki MX (all models) | N/A | Release no. TBD (Aug 2021) |
| Cisco Meraki Z-Series (all models) | N/A | Release no. TBD (Aug 2021) |
| Routing and Switching - Small Business | ||
| Cisco RV042 Dual WAN VPN Router | CSCvv83789 | None planned |
| Cisco RV042G Dual Gigabit WAN VPN Router | CSCvv83789 | None planned |
| Cisco RV160x VPN Router | CSCvv83787 | 1.0.02.x (Mar 2021) |
| Cisco RV260x VPN Router | CSCvv83788 | 1.0.02.x (Mar 2021) |
| Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router | CSCvv83239 | 1.0.04.x (Mar 2021) |
| Cisco Small Business RV Series RV110W Wireless-N VPN Firewall | CSCvv83235 | None planned |
| Cisco Small Business RV Series RV215W Wireless-N VPN Router | CSCvv83237 | None planned |
| Cisco Small Business RV Series RV320 Dual Gigabit WAN VPN Router | CSCvv83238 | None planned |
| Cisco Small Business RV Series RV325 Dual WAN VPN Router | CSCvv83816 | None planned |
| Cisco Small Business RV130 Series VPN Routers | CSCvv83791 | None planned |
| Cisco Small Business RV130 VPN Router | CSCvv83236 | None planned |
| Unified Computing | ||
| Cisco Enterprise NFV Infrastructure Software (NFVIS) | CSCvw00975 | 4.5 (Mar 2021) |
| Voice and Unified Communications Devices | ||
| Cisco IP Conference Phone 7832 | CSCvv83246 | 14.0 (Mar 2021) |
| Cisco IP Conference Phone 8832 | CSCvv83250 | 14.0 (Mar 2021) |
| Cisco IP Phone 6800 Series with Multiplatform Firmware | CSCvv83248 | 11.3.4 (Jun 2021) |
| Cisco IP Phone 6821 with Multiplatform Firmware | CSCvw00982 | 11.3.4 (Jun 2021) |
| Cisco IP Phone 7800 Series with Multiplatform Firmware | CSCvv83243 | 11.3.4 (Jun 2021) |
| Cisco IP Phone 7800 Series | CSCvv83249 | 14.0 (Mar 2021) |
| Cisco IP Phone 8800 Series with Multiplatform Firmware | CSCvv83242 | 11.3.4 (Jun 2021) |
| Cisco IP Phone 8800 Series | CSCvv83242 | 14.0 (Mar 2021) |
| Cisco IP Phone 8865 | CSCvv83245 | 14.0 (Mar 2021) |
| Cisco SPA112 2-Port Phone Adapter | CSCvv83234 | None planned |
| Cisco SPA122 Analog Telephone Adapter (ATA) with Router | CSCvv83234 | None planned |
| Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA) | CSCvv83234 | None planned |
| Cisco Unified IP Phone 9951 | CSCvv83247 | None planned |
| Cisco Unified IP Phone 9971 | CSCvv83247 | None planned |
| Cisco Wireless IP Phone 8821 | CSCvw00918 | 11.0(6)SR1 (Apr 2021) |
| Video, Streaming, TelePresence, and Transcoding Devices | ||
| Cisco Expressway Series | CSCvv83227 | X12.7.1 |
| Cisco TelePresence Video Communication Server (VCS) | CSCvv83227 | X12.7.1 |
| Cisco Cloud Hosted Services | ||
| Cisco IP Phone 6800 Series | CSCvw01205 | 11.3.4 (Jun 2021) |
| Cisco Spark Calling | CSCvw00907 | X12.7.1 (Feb 2021) |
| Cisco Webex Teams (formerly Cisco Spark) | CSCvv83214 | None planned |
| Cisco Webex Room Phone | CSCvv87082 | 1.2(0)SR1 (Aug 2021) |
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
Cisco products that do not offer DNS server capabilities are not affected by these vulnerabilities. Cisco has also confirmed that Cisco IOS XE Software is not affected by any of these vulnerabilities.
At the time of publication, no Cisco products were found to be affected by the vulnerabilities identified by the following Common Vulnerabilities and Exposures (CVE) IDs:
Remote Code Execution and Denial of Service Vulnerabilities
Multiple vulnerabilities in the DNSSEC implementation of dnsmasq could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device.
The vulnerabilities are due to improper memory management when the affected software processes DNS packets with DNSSEC data. An attacker could exploit these vulnerabilities by sending malicious DNS packets to be processed by the affected device.
When these packets are processed, an exploitable overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the underlying dnsmasq software or cause DoS condition on the affected device.
These vulnerabilities affect dnsmasq installations that match all of the following criteria:
These vulnerabilities have been assigned the following CVE IDs:
At the time of this investigation, no Cisco products have been found to be affected by these vulnerabilities.
DNS Cache Poisoning Attacks
Multiple weaknesses in the DNS server functionality of dnsmasq could allow an unauthenticated, remote attacker to more easily forge DNS answers that can poison DNS caches.
Each weakness results in dnsmasq accepting DNS answers based on checks that are performed on an amount of entropy that is lower than what is mandated by RFC 5452. The combination of these weaknesses would allow an attacker to mount a successful DNS cache poisoning attack with low traffic requirements.
These weaknesses affect dnsmasq installations that match all of the following criteria:
These weaknesses have been assigned the following CVE IDs:
Multiple Cisco products have been found to be susceptible to DNS cache poisoning attacks.
Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of this advisory.
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.
Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory.
Cisco would like to thank Moshe Kol and Shlomi Oberman of JSOF for reporting these vulnerabilities, which were investigated and disclosed under the coordination of CERT/CC.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Version | Description | Section | Status | Date |
|---|---|---|---|---|
| 1.4 | Updated Webex Room Phone fixed release. | Vulnerable Products | Final | 2021-AUG-30 |
| 1.3 | Updated list of products confirmed not vulnerable. Removed list of products under investigation. | Affected Products, Products Confirmed Not Vulnerable | Final | 2021-APR-26 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
Vulmon