8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:P/I:P/A:C
0.159 Low
EPSS
Percentile
95.8%
Package upgrade
You need to update the affected dnsmasq package variant you’re using with the command below.
opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1)
Then verify, that you’re running fixed version.
opkg list-installed dnsmasq*
The above command should output following:
dnsmasq - 2.80-16.2 - for stable 19.07 release
dnsmasq - 2.83-1 - for master/snapshot
The fix is contained in the following and later versions:
OpenWrt 19.07: 19.07.6 (fixed by v19.07.6-0-gb12284a14ce9)
OpenWrt master: 2021-01-19 (fixed by reboot-15541-ge87c0d934c54)
Configuration based mitigation
If upgrading is not possible, it is possible to mitigate some of the issues through configuration changes. Note that these settings may have unintended side-effects.
Mitigation for DNS cache poisoning is disabling of caching:
uci set dhcp.@dnsmasq[0].cachesize='0'
Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:
uci set dhcp.@dnsmasq[0].dnssec='0'
Reduce the maximum of queries allowed to be forwarded from 150 to 50:
uci set dhcp.@dnsmasq[0].dnsforwardmax='50'
Then you should commit changes and restart dnsmasq:
uci commit dhcp
/etc/init.d/dnsmasq restart
*[DNS]: Domain Name System
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:P/I:P/A:C
0.159 Low
EPSS
Percentile
95.8%