NEW R2100 Series 5G Ruggedized Router — Built for the Roof of Vehicles and IoT Learn More

Discover Cradlepoint near you

We have dedicated teams in regions the world over. We’re here to answer your questions and connect you with the perfect Wireless WAN solution for your unique business needs.

Asia-Pacific
North America
Latin America
Africa
Europe

For a full list of where our solutions are available, please visit our Availability Page.


CPSEC-368: NetCloud OS (NCOS) Vulnerable to DNSpooq (DNSmasq)

2021-01-19 16:35:47

SUMMARY:

Cradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed.

 


 

Public Disclosure: https://www.jsof-tech.com/disclosures/dnspooq/

Affected Components: NCOS versions up to 7.21.20

Recommendations:

  • Promptly test and upgrade to the latest NCOS version upon release
  • Disable (do not enable) DNSSEC until patched
  • Authenticate clients to the LAN using 802.1X
  • Do not configure firewall to expose DNS services (UDP port 53) on WAN interfaces

 

Default Configuration: DNSSEC disabled

  • Cradlepoint Severity: Low/Medium (dependent upon environment)
  • Potentially Impacted: Local LAN users, clients, and services
  • Potential Attack Path: Local LAN
  • Associated CVEs:
    • CVE-2020-25684
    • CVE-2020-25685
    • CVE-2020-25686

 

Modified Configuration: DNSSEC enabled

  • Cradlepoint Severity: Medium/High (dependent upon environment)
  • Potentially Impacted:
    • Device and sub-services
    • Local LAN users, clients, and services
  • Potential Attack Path: Local LAN
  • Associated CVEs:
    • CVE-2020-25681
    • CVE-2020-25682
    • CVE-2020-25683
    • CVE-2020-25687

 

Modified Configuration: DNS services exposed on WAN

  • Cradlepoint Severity: Critical (dependent upon environment)
  • Potentially Impacted: See above
  • Potential Attack Paths:
    • WAN interfaces
    • Local LAN
  • Associated CVEs: See above