DNSpooq Vulnerability | Cradlepoint NCOS Advisory

DNSpooq Vulnerability | Cradlepoint NCOS Advisory

Jesse HallCradlepoint, MCA News

CPSEC-368: NetCloud OS (NCOS) Vulnerable to DNSpooq (DNSmasq)

Cradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed.

Affected Products

Affected Components: NCOS versions up to 7.21.20

Scope of Impact

Default Configuration: DNSSEC disabled

  • Cradlepoint Severity: Low/Medium (dependent upon environment)
  • Potentially Impacted: Local LAN users, clients, and services
  • Potential Attack Path: Local LAN
  • Associated CVEs:
    • CVE-2020-25684
    • CVE-2020-25685
    • CVE-2020-25686

Modified Configuration: DNSSEC enabled

  • Cradlepoint Severity: Medium/High (dependent upon environment)
  • Potentially Impacted:
    • Device and sub-services
    • Local LAN users, clients, and services
  • Potential Attack Path: Local LAN
  • Associated CVEs:
    • CVE-2020-25681
    • CVE-2020-25682
    • CVE-2020-25683
    • CVE-2020-25687

Modified Configuration: DNS services exposed on WAN

  • Cradlepoint Severity: Critical (dependent upon environment)
  • Potentially Impacted: See above
  • Potential Attack Paths:
    • WAN interfaces
    • Local LAN
  • Associated CVEs: See above

Recommended Actions

  • Promptly test and upgrade to the latest NCOS version upon release
  • Disable (do not enable) DNSSEC until patched
  • Authenticate clients to the LAN using 802.1X
  • Do not configure firewall to expose DNS services (UDP port 53) on WAN interfaces

Credits

Public Disclosure: https://www.jsof-tech.com/disclosures/dnspooq/

Support Contact Information

If you are not able to resolve the issue or successfully make a configuration change using our Community, please reach out to us by phone or chat. The Cradlepoint Technical Support number can be found once logged into https://customer.cradlepoint.com/s/contactsupport  under the 'Contact Support' section.

Call into (855) 813-3385 Option 2 to talk to the 6 AM to 6 PM MST Support team. 

Security Bulletins

To see the latest security updates from Cradlepoint, please visit: https://cradlepoint.com/vulnerability-alerts/

Contact USAT

If you need help updating your Cradlepoint devices, and have an active DevProv+ plan with USAT please file a support ticket. If you're in need of new Cradlepoint Endpoints or Software, please reach out to us using one of the three contact methods detailed below.

For More Information:

Share this Post