Multiple Vendor DNS Cache Poisoning Vulnerability
If you haven’t yet heard, there is a new DNS cache poisoning vulnerability out today. It could allow an unauthorized party to provide fake DNS replies that would be accepted by your DNS server, though the likelihood of this occurring in the near future is slim at best.
SANS ISC has a good overview of the issue, and the following advice:
“If you run a caching DNS server, patch it soon. I wouldn’t say “today, while ignoring sane patch management”. But check with your vendor and follow their guidance. The world is not going to end today.”
dnsmasq, the DNS caching server in pfSense, appears to be vulnerable to this. m0n0wall, stock firmware in Linksys routers, dd-wrt, IPcop, Clarkconnect, among a long list of other projects also use it and are equally affected. (at the moment, “equally affected” means “not affected at all” but that may change in the coming weeks)
As soon as an updated dnsmasq is available, we will provide a pfSense update. It will be 1.2a release, with the only change from 1.2 release being the updated dnsmasq.
In the mean time, it’s not really anything to be concerned about. Patch what you can now. We’ll have a pfSense update out as quickly as possible, which largely relies on the dnsmasq developer making an update available. The details of the vulnerability will be disclosed at a conference on August 6, after which point exploitation may be reasonably accomplished. Unlike most vulnerabilities, it isn’t easy to determine the specific issue by looking at the source code changes or reverse engineering patches, which significantly reduces the chance someone will figure out the specific problem before it’s disclosed.