Zyxel security advisory for DNSpooq
CVE: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687
Zyxel will release patches for products affected by the Dnsmasq vulnerabilities reported by CERT/CC. Customers are advised to install the applicable firmware updates or follow the best practices for optimal protection.
What's the vulnerability?
Dnsmasq, open-source software that provides DNS forwarding and caching, has two sets of vulnerabilities, as listed below. Dubbed as DNSpooq, these vulnerabilities could allow an attacker to corrupt memory on the target device and perform cache poisoning attacks against the target environment.
- Memory corruption vulnerabilities due to boundary checking errors in DNSSEC handling code. (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, and CVE-2020-25687)
- DNS response validation vulnerabilities that can result in DNS cache poisoning. (CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686)
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified products that make use of the Dnsmasq software and confirmed that these products are only affected by the DNS response validation vulnerabilities with medium severity. We’ll include the solution in the affected products’ next regular firmware releases to address the issues, as shown in the table below. For optimal protection, we urge customers to install the applicable updates when they become available or follow CERT/CC’s best practices when protecting DNS infrastructure before the firmware updates become available:
Protect your DNS clients and DNS client software using stateful-inspection firewall that can provide application security.
Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS services where applicable.
Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.
Regularly update software and embedded firmware to the latest available version and the recommended secure configuration suitable for your operations environment (e.g., disable caching if not needed or provided by an upstream server).
Please note that the table does NOT include customized models for internet service providers (ISPs). For ISP customers with customized models, please contact your Zyxel representative for further details. For end-users who acquired your Zyxel device by an ISP, we recommend you reach out to the ISP support team directly, as the device may have custom-built settings.
|Affected series/models||Patch available in|
|DSL/Ethernet CPE and WiFi system|
|AX7501-B0||V5.15(ABPC.1)C0 in June 2021|
|DX4510-B0||V5.17(ABYL.0)C0 in Q2 2021|
|DX5510-B0||V5.17(ABVV.1)C0 in Dec 2021|
|EMG3524-T10A||V1.42(ABXU.0)C0 in Q2 2021|
|EMG3525-T50B||EMEA: V5.50(ABPM.6)C0 in June 2021
S. America: V5.50(ABSL.0)b9 in Q2 2021
|EMG5523-T50B||EMEA: V5.50(ABPM.6)C0 in June 2021
S. America: V5.50(ABSL.0)b9 in Q2 2021
|EMG5723-T50K||V5.50(ABOM.7)C0 in June 2021|
|EMG6726-B10A||V5.13(ABNP.7)C0 in Dec 2021|
|EX3510-B0||V5.17(ABUP.4)C0 in Dec 2021|
|EX5501-B0||V5.15(ABRY.2)C0 in June 2021|
|EX5510-B0||V5.17(ABQX.5)C0 in Dec 2021|
|VMG1312-T20B||V5.50(ABSB.5)C0 in June 2021|
|VMG3625-T50B||V5.50(ABPM.6)C0 in June 2021|
|VMG3927-B50A_B60A||V5.15(ABMT.7)C0 in June 2021|
|VMG3927-B50B||V5.13(ABLY.7)C0 in Dec 2021|
|VMG3927-T50K||V5.50(ABOM.7)C0 in June 2021|
|VMG4005-B50B||V5.13(ABRL.5)C0 in Dec 2021|
|VMG4927-B50A||V5.13(ABLY.7)C0 in Dec 2021|
|VMG8623-T50B||V5.50(ABPM.6)C0 in June 2021|
|VMG8825-B50A_B60A||V5.15(ABMT.7)C0 in June 2021|
|VMG8825-Bx0B||V5.15(ABNY.7)C0 in June 2021|
|VMG8825-T50K||V5.50(ABOM.7)C0 in June 2021|
|XMG3927-B50A||V5.15(ABMT.7)C0 in June 2021|
|XMG8825-B50A||V5.15(ABMT.7)C0 in June 2021|
|PMG2005-T20B||V1.00(ABNK.2)b12_C0 in Q3 2021|
|PMG2005-T20D||V1.00(ABUT.2)C0 in Q3 2021|
|PMG2005-T20E||N. America: V1.00(ABXY.1)C0 in Q3 2021
S. America: V1.00(ABUT.2)C0 in Q3 2021
|PMG5705-T10A||V1.10(ABUM.0)b8 in Q3 2021|
|5G NR/ 4G LTE CPE|
|LTE1566||V1.00(ABUD.3)C0 in Dec 2021|
|LTE2566||V1.00(ABTW.3)C0 in Dec 2021|
|LTE3202||V1.00(ABVM.3)C0 in Dec 2021|
|LTE3301||V1.00(ABLG.5)C0 in Dec 2021|
|LTE3301Plus||V1.00(ABQU4)C0 in Sep 2021|
|LTE3302||V1.00(ABLM.5)C0 in Dec 2021|
|LTE3316||V1.00(ABMP.5)C0 in Dec 2021|
|LTE3316v2||V2.00(ABMP.5)C0 in Dec 2021|
|LTE5366||V1.00(ABKA.2)C0 in Dec 2021|
|LTE5388-M804||V1.00(ABSQ.2)C0 in Dec 2021|
|LTE7240||V2.00(ABMG.4)C0 in Dec 2021|
|LTE7460||V1.00(ABFR.6)C0 in Dec 2021|
|LTE7461-M602||V2.00(ABQN.3)C0 in Sep 2021|
|LTE7480-M804||V1.00(ABRA.3)C0 in Sep 2021|
|LTE7480-S905||V2.00(ABQT.4)C0 in Dec 2021|
|LTE7485-S905||V1.00(ABVN.4)C0 in Dec 2021|
|LTE7490||V1.00(ABQY.3)C0 in Sep 2021|
|WAH7601||V1.00(ABRH.3)C0 in Dec 2021|
|WAH7608||V1.00(ABKW.2)C0 in Dec 2021|
|WAH7706||V1.00(ABBC.13)C0 in Dec 2021|
|NR5101||V1.00(ABVC.1)C0 in May 2021|
|NR7101||V1.00(ABUV.3)C0 in Jun 2021|
|NR2101||V1.00(ABUS.4)C0 in Oct 2021|
*Please reach out to your local Zyxel support team for the file.
**The above list did not include products designed by our affiliate, Zyxel Networks. If you have questions regarding products that are not listed above, please visit here for the complete affected model list and the latest firmware release schedule.
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact email@example.com and we’ll get right back to you.
Thanks to CERT/CC for reporting the issue to us.
2021-2-2: Initial release
2021-3-11: Updated the list of affected CPE and ONTs