Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)

Package upgrade
You need to update the affected dnsmasq package variant you’re using with the command below.

 opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)

Then verify, that you’re running fixed version.

 opkg list-installed dnsmasq*

The above command should output following:

 dnsmasq - 2.80-16.2  - for stable 19.07 release
 dnsmasq - 2.83-1     - for master/snapshot

The fix is contained in the following and later versions:

• OpenWrt 19.07: 19.07.6 (fixed by v19.07.6-0-gb12284a14ce9)

• OpenWrt master: 2021-01-19 (fixed by reboot-15541-ge87c0d934c54)

Configuration based mitigation
If upgrading is not possible, it is possible to mitigate some of the issues through configuration changes. Note that these settings may have unintended side-effects.

Mitigation for DNS cache poisoning is disabling of caching:

 uci set dhcp.@dnsmasq[0].cachesize='0'

Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:

 uci set dhcp.@dnsmasq[0].dnssec='0'

Reduce the maximum of queries allowed to be forwarded from 150 to 50:

 uci set dhcp.@dnsmasq[0].dnsforwardmax='50'

Then you should commit changes and restart dnsmasq:

 uci commit dhcp
 /etc/init.d/dnsmasq restart

*[DNS]: Domain Name System