DNSpooq bugs let attackers hijack DNS on millions of devices

DNSpooq bugs let attackers hijack DNS on millions of devices

Israel-based security consultancy firm JSOF disclosed today seven Dnsmasq vulnerabilities, collectively known as DNSpooq, that can be exploited to launch DNS cache poisoning and remote code execution against millions of affected devices.

Dnsmasq is a popular and open-source Domain Name System (DNS) forwarding software that adds DNS caching and Dynamic Host Configuration Protocol (DHCP) server capabilities to networking equipment it runs on.

The full number or the name of all companies that use Dnsmasq versions vulnerable to DNSpooq attacks on their devices is not yet known.

However, JSOF highlighted a list of 40 vendors in their report, including Android/Google, Comcast, Cisco, Redhat, Netgear, Qualcomm, Linksys, Netgear, IBM, D-Link, Dell, Huawei, and Ubiquiti.

Behind the DNSpooq vulnerabilities

Three of the DNSpooq vulnerabilities (tracked as CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) allow for both DNS cache poisoning attacks (also known as DNS spoofing).

DNS Cache Poisoning is an attack method that allows threat actors to replace legitimate DNS records on a device with ones of their choosing.

Using this attack, threat actors can redirect users to malicious servers under their control, while to the visitors it appears as if they are visiting the legitimate site.

This allows the attackers to perform phishing attacks, credential theft, or to distribute malware from what is perceived as a trusted company.

The first DNS spoofing attack was disclosed by security researcher Dan Kaminsky in 2008 when he showed that DNS software can be exploited to steal data and impersonate any website name.

DNS spoofing
DNS spoofing (JSOF)

“Traffic that might be subverted includes regular Internet browsing as well as other types of traffic, such as emails, SSH, remote desktop, RDP video and voice calls, software updates, and so on,” JSOF’s report explains.

Hypothetical attack scenarios also include JavaScript-fueled Distributed Denial of Service (DDoS), reverse DDOS, and wormable attacks in the case of mobile devices that switch networks regularly.

The rest of them are buffer overflow vulnerabilities tracked as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, and CVE-2020-25681 that…


Samsung fixes critical Android bugs in December 2020 updates

samsung galaxy phones

This week Samsung has started rolling out Android’s December security updates to mobile devices to patch critical security vulnerabilities in the operating system and related components.

This comes after Android had published their December 2020 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.

As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on December 7, 2020, this week.

These updates mainly comprise significant security fixes with possible device stability enhancements.

Samsung Galaxy Android December 2020 updates
Samsung Galaxy Android December 2020 updates being rolled out today
Source: BleepingComputer

Every vulnerability addressed by this update, has either a ‘High’ or ‘Critical’ severity rating, making this update a must for Android users so that their devices remain protected.

RCE, Privilege escalation, and Denial of Service (DoS)

There’s the high severity vulnerability, CVE-2020-0458 lurking in the Android Media Framework arising from a buffer overflow, which has been fixed by this update.

The vulnerability could let an attacker perform remote code execution (RCE) attacks using a specially crafted file within the context of a privileged process.

Fix commit for CVE-2020-0458, RCE flaw in Media Framework
Fix commit for RCE flaw in Media Framework (CVE-2020-0458)

Other flaws impacting components like Framework and System could allow sensitive information disclosure and user interaction bypass, i.e. a malicious app can gain additional permissions on the vulnerable device without the user’s approval.

The list of vulnerabilities patched by this update includes:


CVE References Type Severity Updated AOSP versions
CVE-2020-0099 A-141745510 EoP High 8.0, 8.1, 9, 10
CVE-2020-0294 A-154915372 EoP High 8.0, 8.1, 9, 10
CVE-2020-0440 A-162627132 [2] EoP High 11
CVE-2020-0459 A-159373687 [2] [3] [4] [5] ID High 8.0, 8.1, 9, 10
CVE-2020-0464 A-150371903 [2] ID High 10
CVE-2020-0467 A-168500792 ID High 8.1, 9, 10, 11
CVE-2020-0468 A-158484422 ID High 10, 11
CVE-2020-0469 A-168692734 DoS High 11
CVE References Type Severity Updated AOSP versions
CVE-2020-0458 A-160265164 [2] RCE Critical 8.0, 8.1, 9, 10
CVE-2020-0470 A-166268541 ID High 10, 11


Mysterious Bugs Were Used to Hack iPhones and Android Phones and No One Will Talk About It


Image: Cathryn Virginia/VICE

Google’s elite teams of bug and malware hunters found and disclosed a flurry of high impact vulnerabilities in Chrome, Android, Windows, and iOS last week. The internet giant also said that these various vulnerabilities were all “actively exploited in the wild.” In other words, hackers were using these bugs to actually hack people, which is concerning. 

What’s more, all these vulnerabilities are in some way related to each other, Motherboard has learned. That potentially means the same hackers were using them. According to the disclosure reports, some bugs were in font libraries, and others were used to escape the sandbox in Chrome, and others were used to take control of the whole system, suggesting some of these bugs were part of a chain of vulnerabilities used to exploit victim’s devices.  

So far, very little information has come out about who may have been using the exploits and who they were targeting. Often, bugs in modern software are found and are ethically disclosed by security researchers, which means that they are fixed before they are widely exploited to hack people. In this case, however, we know that the bugs were being used for hacking operations. 

Last year, Google found a series of zero-days—vulnerabilities that at the time of discovery are unknown to the software maker—that spies were using to target the Uighur community. China has conducted a widespread, systemic campaign of physical and technical oppression and surveillance against the Muslim minority. 

“This feels like spy shit.”

Unfortunately, this time we don’t know any details because Google—the only company that has the whole story behind these bugs—has not said much at all about how it found the bugs, who was using them, and whom they were being used against. Notably, an update pushed to iOS 12 (which is two years old) patched the issue on phones dating back to the iPhone 5s and iPhone 6. Often, when updates are pushed to such old devices it means the bug is particularly bad, but, again, we do not know the specifics at this time.

“The fact that they updated iPhone 6 users means it was bad,” said a cybersecurity expert who asked not to be named because he wasn’t allowed…


Update iOS Right Now to Fix Some Bad Security Bugs

Congratulations, the week that somehow lasted four months is finally over. At the time of writing this post, the Associated Press still hadn’t called a winner in the United States presidential election. (Donald Trump tried to declare victory early Wednesday morning, but it doesn’t work like that. At all.) While you wait, let’s get you caught up some security news you might have missed while you were watching maps change color on cable news.

Earlier this week, the cryptocurrency had a mystery on its hands when someone emptied a billion dollars from a bitcoin wallet that had sat untouched for years. (Yes, billion.) The sleuthing was short-lived; it turned out that the IRS had tracked down the wallet’s owner after establishing that so-called Individual X had amassed the trove in the first place by hacking the Silk Road seven years ago. It’s the biggest cryptocurrency seizure in US history, and it’s not even close. Law enforcement also shut down a West Virginia man who was allegedly selling 3D-printed machine gun components—barely disguised as wall hangers—to so-called Boogaloo Boys extremists.

Some privacy strides were made this week in various corners. Zoom has finally added real end-to-end encryption, so we walked through how to turn it on and what you have to give up to do so. WhatsApp added disappearing messages, although with less flexibility than other encrypted platforms give you. And while the presidential race remains in doubt, privacy-friendly ballot initiatives comfortably passed in both Michigan and California.

To round out the election news, we took a look at how smoothly Election Day itself went, and how you can thank years of overdue investment and smart decisions for it. We also enjoyed this livestream of ballot-counting in Philadelphia—and explained how every step of the process works.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

Apple released its latest iOS update this week, and while the new emojis it comes with are exciting, you’ll also want it to fix a raft of security issues for iPhone and…