Zyxel security advisory for DNSpooq

Nebula_Adam
Nebula_Adam Posts: 70  Zyxel Employee
edited January 21 in Security Advisories

Zyxel security advisory for DNSpooq 


CVE: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685

    CVE-2020-25686, CVE-2020-25687


Summary

Zyxel will release patches for products affected by the Dnsmasq vulnerabilities reported by CERT/CC. Users are advised to install the applicable firmware updates or follow the best practices for optimal protection.


What is the vulnerability?

Dnsmasq, open-source software that provides DNS forwarding and caching, has two sets of vulnerabilities, as listed below. Dubbed as DNSpooq, these vulnerabilities could allow an attacker to corrupt memory on the target device and perform cache poisoning attacks against the target environment.

  • Memory corruption vulnerabilities due to boundary checking errors in DNSSEC handling code.

    (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, and CVE-2020-25687)

  • DNS response validation vulnerabilities that can result in DNS cache poisoning.

    (CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686)


What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified products that make use of the Dnsmasq software and confirmed that these products are only affected by the DNS response validation vulnerabilities with medium severity. We’ll include the solution in the affected products’ next regular firmware releases to address the issues, as shown in the table below. For optimal protection, we urge users to install the applicable updates when they become available or follow CERT/CC’s best practices when protecting DNS infrastructure before the firmware updates become available:

  • Protect your DNS clients and DNS client software using stateful-inspection firewall that can provide application security.

  • Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS services where applicable.

  • Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.

  • Regularly update software and embedded firmware to the latest available version and the recommended secure configuration suitable for your operations environment (e.g., disable caching if not needed or provided by an upstream server).

Please note that the table does NOT include customized models for internet service providers (ISPs). For ISP customers, please contact your Zyxel representative for further details. For end-users, please contact your local Zyxel support team or visit our forum if you require further assistance.

Affected series/models

Patch available in

CPE

AX7501-B0

V5.15(ABPC.1)C0 in June 2021

DX5510-B0

V5.17(ABVV.1)C0 in Dec 2021

EMG3525-T50B

V5.50(ABPM.6)C0 in June 2021

EMG5523-T50B

V5.50(ABPM.6)C0 in June 2021

EMG5723-T50K

V5.50(ABOM.7)C0 in June 2021

EMG6726-B10A

V5.13(ABNP.7)C0 in Dec 2021

EX3510-B0

V5.17(ABUP.4)C0 in Dec 2021

EX5501-B0

V5.15(ABRY.2)C0 in June 2021

EX5510-B0

V5.17(ABQX.4)C0 in Dec 2021

VMG1312-T20B

V5.50(ABSB.5)C0 in June 2021

VMG3625-T50B

V5.50(ABPM.6)C0 in June 2021

VMG3927-B50A_B60A

V5.15(ABMT.7)C0 in June 2021

VMG3927-B50B

V5.13(ABLY.7)C0 in Dec 2021

VMG3927-T50K

V5.50(ABOM.7)C0 in June 2021

VMG4005-B50B

V5.13(ABRL.5)C0 in Dec 2021

VMG4927-B50A

V5.13(ABLY.7)C0 in Dec 2021

VMG8623-T50B

V5.50(ABPM.6)C0 in June 2021

VMG8825-B50A_B60A

V5.15(ABMT.7)C0 in June 2021

VMG8825-Bx0B

V5.15(ABNY.7)C0 in June 2021

VMG8825-T50K

V5.50(ABOM.7)C0 in June 2021

XMG3927-B50A

V5.15(ABMT.7)C0 in June 2021

XMG8825-B50A

V5.15(ABMT.7)C0 in June 2021

ONT

PMG2005-T20D

V1.00(ABWX.1)C0 in Q2 2021

PMG5317-T20B

V5.40(ABKI.4)C0 in Q2 2021

PMG5617GA

V5.40(ABNA.2)C0 in Q2 2021

PMG5622GA

V5.40(ABNB.2)C0 in Q2 2021

LTE

LTE1566

V1.00(ABUD.3)C0*

LTE2566

V1.00(ABTW.3)C0*

LTE3202

V1.00(ABVM.3)C0*

LTE3301

V1.00(ABLG.5)C0*

LTE3301Plus

V1.00(ABQU4)C0 in Q2 2021

LTE3302

V1.00(ABLM.5)C0*

LTE3316

V1.00(ABMP.5)C0*

LTE5366

V1.00(ABKA.2)C0*

LTE7460

V1.00(ABFR.6)C0*

LTE7461

V2.00(ABQN.3)C0 in Q2 2021

LTE7480

V1.00(ABRA.3)C0 in Q2 2021

LTE7485

V1.00(ABVN.3)C0 in Q2 2021

LTE7490

V1.00(ABQY.1)C0 in Q2 2021

WAH7601

V1.00(ABRH.3)C0*

WAH7608

V1.00(ABKW.2)C0*

WAH7706

V1.00(ABBC.12)C0*

Home router

NBG418v2

V1.00(AARP.10)C0 in Dec 2021

NBG6515

V1.00(AAXS.8)C0 in Dec 2021

NBG6604

V1.00(ABIR.6)C0 in Dec 2021

NBG6615

V1.00(ABMV.5)C0 in Dec 2021

NBG6817

V1.00(ABCS.11)C0 in Sep 2021

NBG6818

V1.00(ABSC.5)C0 in Sep 2021

NBG7815

V1.00(ABSK.6)C0 in Sep 2021

WSQ50

V2.20(ABKJ.5)C0 in Sep 2021

WSQ60

V2.20(ABND.6)C0 in Sep 2021

WSR30

V1.00(ABMY.12)C0 in Sep 2021

AP and AP controller

Unified Pro series

V6.20 in Mar 2021

Unified series

V6.20 in Mar 2021

Standalone series

V6.20 in Mar 2021

Cloud-managed series

V6.20 in Mar 2021

NXC2500/5500

V6.20 in Mar 2021

Firewall

VPN2S

Hotfix available upon request*

*Please reach out to your local Zyxel support team for the file.

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact [email protected] and we’ll get right back to you.


Acknowledgment

Thanks to CERT/CC for reporting the issue to us.


Revision history

2021-1-21: Initial release



Adam
Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!