Last week, the team at CMU CERT Coordination Center updated a Vulnerability Note regarding Dnsmasq. Dnsmasq is an incredibly popular and widely deployed DNS resolver software found as part of IoT, embedded, and SOHO router deployments around the world.
This specific attack is interesting, because it can be used to not only cause denial of service attacks (DDoS), but also it can be used to redirect victims to malicious sites at the DNS level. This could allow for users to be tricked into giving up credentials, install malicious software, and many other nasty scenarios.
To help with the effort of notifying effected parties, one of our team members has worked up a list of impacted hosts. By using the DNS fingerprint dataset within our PureSignal™ Recon solution we were able to identify 2361 hosts in 650 ASNs that look to be impacted and in need of updating.
The full IP list, and other threat reporting, is shared daily via our CSIRT Assistance Program and our membership in various trust groups. If you see your network listed below and you’re not aware of how to get started receiving alerts please don’t hesitate to contact us.
As always, If you’re a researcher and have an IOC you’d like to see matched against our Pure Signal, drop me a line!