DNSpooq - Dnsmasq Vulnerabilities in SCALANCE and RUGGEDCOM Devices

Monitor4SSA-646763Jan 19, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Security researchers discovered vulnerabilities in the dnsmasq DNS component (CVE-2020-25681 through CVE-2020-25687, collectively known as "DNSpooq"). Three of these vulnerabilities (CVE-2020-25684 through CVE-2020-25686) affect DNS response validation in SCALANCE and RUGGEDCOM industrial network devices. The vulnerabilities could allow manipulation of DNS responses, potentially redirecting network traffic or interrupting device connectivity.

What this means

What could happen

An attacker on the network could spoof DNS responses, causing devices to communicate with unintended hosts or services. This could disrupt connectivity to SCADA systems, engineering workstations, or critical services that the devices rely on.

Who's at risk

SCALANCE and RUGGEDCOM industrial-grade network devices used in manufacturing, utilities, and critical infrastructure. Specifically affected: RUGGEDCOM RM1224 managed switches, SCALANCE M-800 managed switches, SCALANCE S615 managed switches, SCALANCE SC-600 wireless controller, and SCALANCE W1750D wireless access points. These devices are used for backbone network connectivity and often sit in critical data paths for supervisory control.

How it could be exploited

An attacker with network access to the device's DNS traffic (either local network or if DNS traffic is routed through the Internet) can craft malicious DNS responses. The device's dnsmasq component does not properly validate these responses, allowing the attacker to redirect future DNS queries. This could redirect the device away from legitimate servers (control systems, time sync servers, updates) to attacker-controlled hosts.

Prerequisites

Network access to DNS traffic on the same network segment as the affected device
Device must be configured to use DNS resolution
Device must query unresolved hostnames (not using static IP addresses exclusively)

remotely exploitablelow complexityno authentication requiredaffects network backbone devicesno patch available for SCALANCE W1750D

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

RUGGEDCOM RM1224< V6.46.4

SCALANCE M-800< V6.46.4

SCALANCE S615< V6.46.4

SCALANCE SC-600< V2.1.32.1.3

SCALANCE W1750DAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

SCALANCE W1750D

WORKAROUNDFor SCALANCE W1750D: Implement network segmentation to restrict DNS traffic to trusted internal DNS servers only; block Internet-bound DNS traffic at the firewall

HARDENINGDisable DNS on SCALANCE W1750D if not actively required for device operation

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

RUGGEDCOM RM1224

HOTFIXUpdate RUGGEDCOM RM1224 to firmware version 6.4 or later

SCALANCE M-800

HOTFIXUpdate SCALANCE M-800 to firmware version 6.4 or later

SCALANCE S615

HOTFIXUpdate SCALANCE S615 to firmware version 6.4 or later

SCALANCE SC-600

HOTFIXUpdate SCALANCE SC-600 to firmware version 2.1.3 or later

Mitigations - no patch available

0/1

SCALANCE W1750D has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement DNS query filtering and monitoring on your network to detect suspicious DNS response patterns

CVEs (3)

CVE-2020-25684 CVE-2020-25685 CVE-2020-25686

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c7e2cb09-d2b5-4cb9-802e-82fa2b5d0710