Dnsmasq and the seven flaws: Patch these nasty remote-control holes

Linux, Android, IoT, you name it, they'll need updates if you use this open-source tool

14 Reg comments Got Tips?

Google security engineers have spotted not one, not two, but seven serious flaws in Dnsmasq, a fairly widely used DNS forwarder and DHCP server.

This open-source program is present in a lot of home routers and certain Internet of Things gadgets, and included in desktop Linux distributions such as Ubuntu and Debian. According to Shodan, there are right now 1,098,179 devices facing the public internet with Dnsmasq services running.

The worst bugs can be exploited over the network to execute malicious code on a vulnerable system and hijack it.

Version 2.78, released today by developer Simon Kelley, has all the fixes you need, so you should be running that version. You can get this by upgrading your packages on your system as per usual, fetching October's security fixes for Android, badgering your device's firmware maker for updates, and so on. Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have patches available, too, we're told.

"We discovered seven distinct issues (listed below) over the course of our regular internal security assessments," the Google team said in a blog post on Monday.

"Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue."

The seven flaws include three that can be exploited to perform remote code execution, three more that can be used in denial of service attacks, and one information-leaking blunder. The full list of flaws is as follows:

  • CVE-2017-14491 – Remote code execution in the DNS subsystem that can be exploited from the other side of the internet against public-facing systems and against stuff on the local network. The previously latest version had a two-byte overflow bug, which could be leveraged, and all prior builds had an unlimited overflow.
  • CVE-2017-14492 – The second remote code execution flaw works via a heap-based overflow.
  • CVE-2017-14493 – Google labels this one as trivial to exploit. It's a stack-based buffer overflow vulnerability that enables remote code execution if it's used in conjunction with the flaw below.
  • CVE-2017-14494 – This is an information leak in DHCP which, when using in conjunction with CVE-2017-14493, lets an attacker bypass the security mechanism ASLR and attempt to run code on a target system.
  • CVE-2017-14495 – A limited flaw this one, but can be exploited to launch a denial of service attack by exhausting memory. Dnsmasq is only vulnerable, however, if the command line switches --add-mac, --add-cpe-id or --add-subnet are used.
  • CVE-2017-14496 – Here the DNS code performs invalid boundary checks, allowing a system to be crashed using an integer underflow leading to a huge memcpy() call. Android systems are affected if the attacker is local or tethered directly to the device.
  • CVE-2017-13704 – A large DNS query can crash the software.

Patches are available here. ®


Keep Reading

When you see PWA, Microsoft and Google want you to think Programs With Attitude: Web app release tool tweaked

More native applications we smoke, yo, our rep gets bigger

Swift tailored for Windows no longer folklore: Apple's programming language available for Microsoft OS

The Redmond-aligned can try the Cupertino-spawned lingo thanks to a Googler's intervention

Sure is wild that Apple, Google app store monopolies are way worse than what Windows got up to, sniffs Microsoft prez

Analysis 'Far more formidable gates to access to other applications than anything that existed in the industry 20 years ago'

Apple-Google COVID-19 virus contact-tracing API to bar location-tracking access

Renamed 'ExposureNotification' will only only one app per nation

Microsoft will release a web browser for Linux next month. Repeat, Microsoft will release a browser for Linux – and it uses Google's technology

Ignite This means Linus Torvalds has definitely won, doesn't it?

Unexpected risks of using Apple ID: 'Sign in with Apple' will be blocked for Epic Games

Updated Games dev pleads with users to set up a password before they get locked out

Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching

Lack of protections around trace facility gives local users read and write access

Leaked benchmarks from developer kit for Apple's home-baked silicon appear to give Microsoft a run for its money

Before you get too excited 1) They're benchmarks 2) New consumer Arm-based Macs might use something else

Biting the hand that feeds IT © 1998–2020