The vulnerability likely affects all Gargoyle versions, with 2 of the vulnerabilities having real impact, and the remaining 5 only for users who do custom configurations to use DNSSEC features.
At this point in time, OpenWrt have not decided to backport the fixes to the 18.06 branch. This is the branch that Gargoyle 1.12.x is based on. Therefore, 1.12.x (and earlier) will not receive an update to fix this issue. It is recommended that you follow the Mitigation section below for these versions.
For 1.13.x (unreleased) or any builds based on the latest master branch of Gargoyle, a patch has been pulled in as of 26/01/2021. It is recommended that you upgrade to a new version when it becomes available, or build a new one yourself. If this is not something you are comfortable with, you can also follow the Mitigation section below.
Mitigation
If you cannot upgrade to a later version of dnsmasq, you can mitigate the vulnerability by performing the following commands:
Mitigation for DNS cache poisoning is disabling of caching:
Code: Select all
uci set dhcp.@dnsmasq[0].cachesize='0'
Code: Select all
uci set dhcp.@dnsmasq[0].dnssec='0'
Code: Select all
uci set dhcp.@dnsmasq[0].dnsforwardmax='50'
Code: Select all
uci commit dhcp && /etc/init.d/dnsmasq restart