dnsmasq by Simon Kelley (Update A)

MonitorCVSS 4ICS-CERT ICSA-21-019-01Jan 19, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

dnsmasq open-source DNS component versions before 2.83 contain three vulnerabilities (CVE-2020-25684 through CVE-2020-25686) that fail to properly validate DNS responses, allowing DNS spoofing attacks. The vulnerabilities affect Siemens RUGGEDCOM RM1224, SCALANCE M-800, SCALANCE S615, SCALANCE SC-600, and SCALANCE W1750D devices that rely on dnsmasq for DNS resolution. An attacker can send crafted DNS responses to redirect queries to malicious servers without needing credentials or user interaction. Siemens has released patches for most products (firmware 6.4 for RM1224/M-800/S615, 2.1.3 for SC-600) but states SCALANCE W1750D has no fix planned.

What this means

What could happen

An attacker could redirect DNS traffic from affected network devices to malicious servers, potentially causing the device to connect to wrong control servers or receive incorrect operational commands. For devices without patches available, DNS spoofing could be a persistent threat requiring compensating controls.

Who's at risk

Siemens industrial network devices that use dnsmasq for DNS services: RUGGEDCOM RM1224 and SCALANCE M-800, S615, and SC-600 series managed switches used in industrial networks for edge routing and security; SCALANCE W1750D wireless access points. Water utilities and electric utilities using these devices for control network communications are affected.

How it could be exploited

An attacker with network access to the same Layer 2 network or upstream from the affected device could send specially crafted DNS responses that bypass dnsmasq validation logic, redirecting DNS queries to malicious servers. The attacker does not need valid credentials or to interact with users.

Prerequisites

Network access to Layer 2 network or upstream DNS path
Ability to send crafted DNS responses before legitimate responses arrive
dnsmasq service active and processing DNS queries

remotely exploitableno authentication requiredlow complexityno patch available for SCALANCE W1750Daffects network-critical infrastructure devices

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

RUGGEDCOM RM1224<V6.46.4

SCALANCE M-800<V6.46.4

SCALANCE S615<V6.46.4

SCALANCE SC-600<V2.1.32.1.3

SCALANCE W1750DAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/4

SCALANCE W1750D

HARDENINGFor SCALANCE W1750D and other devices without patches, implement Layer 2 security features such as DHCP snooping and IP source guard

All products

HARDENINGConfigure dnsmasq to not listen on WAN (wide area network) interfaces if DNS queries from external networks are not required

WORKAROUNDReduce the maximum DNS queries dnsmasq forwards by setting --dns-forward-max parameter to a lower value (less than default of 150)

WORKAROUNDDisable DNSSEC validation in dnsmasq temporarily until patches are applied

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

RUGGEDCOM RM1224

HOTFIXUpdate RUGGEDCOM RM1224, SCALANCE M-800, SCALANCE S615 to firmware version 6.4 or later

SCALANCE SC-600

HOTFIXUpdate SCALANCE SC-600 to firmware version 2.1.3 or later

All products

HARDENINGConfigure upstream DNS connections to use DNS-over-HTTPS or DNS-over-TLS encryption

CVEs (3)

CVE-2020-25684 CVE-2020-25685 CVE-2020-25686

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/257b5a9a-32f0-4212-a159-c7b23ccd79fd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.