Security Alert (A17-10-02): Multiple Vulnerabilities in Dnsmasq


 

Published on: 04 October 2017

  
  

Description:

Multiple vulnerabilities are found in the Dnsmasq software package. These vulnerabilities can lead to memory corruption and arbitrary code execution. A remote attacker could exploit the vulnerabilities by sending a specially-crafted DHCP or DNS packet to an affected device.

Reports indicate that the proof-of-concept exploit code is available on the Internet.

 

Affected Systems:

The following is only a sample list of Linux systems that are affected. The list is not exhaustive and it is strongly recommended to consult the product vendors if the used Linux systems are affected.

  • Linux operating systems (on 32-bit and 64-bit) with Dnsmasq version prior to 2.78 installed
  • OpenBSD, NetBSD, and FreeBSD operating systems (on 32-bit and 64-bit)
  • All version of Android OS

 

Impact:

A successful attack could lead to remote code execution, denial of services and information disclosure.

 

Recommendation:

The vulnerabilities were mitigated in some of the affected systems, such as CentOS, Debian, Oracle Linux, RedHat, SUSE and Ubuntu. System administrators should check with their product vendors to confirm if their Linux/Unix systems are affected and the availability of patches, and if so, apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.

  • CentOS 6
    https://lists.centos.org/pipermail/centos-announce/2017-October/022554.html

  • CentOS 7
    https://lists.centos.org/pipermail/centos-announce/2017-October/022555.html

  • Debian
    https://www.debian.org/security/2017/dsa-3989

  • Oracle Linux
    https://linux.oracle.com/errata/ELSA-2017-2836.html
    https://linux.oracle.com/errata/ELSA-2017-2838.html
    https://linux.oracle.com/errata/ELSA-2017-2840.html

  • RedHat
    https://access.redhat.com/security/vulnerabilities/3199382

  • SUSE
    https://www.suse.com/support/update/announcement/2017/suse-su-20172616-1/
    https://www.suse.com/support/update/announcement/2017/suse-su-20172617-1/
    https://www.suse.com/support/update/announcement/2017/suse-su-20172618-1/
    https://www.suse.com/support/update/announcement/2017/suse-su-20172619-1/
    https://www.suse.com/security/cve/CVE-2017-13704/

  • Ubuntu
    https://usn.ubuntu.com/usn/usn-3430-1/

For Android device, Google has provided patches to device manufacturers for their further testing and distribution to their customers' devices. Users shall ascertain that the Android devices are updated with the patches once available. Users should contact the device manufacturers for the patch availability and details.

 

More Information:

http://www.thekelleys.org.uk/dnsmasq/doc.html
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
https://source.android.com/security/bulletin/2017-10-01
https://www.hkcert.org/my_url/en/alert/17100302
https://www.us-cert.gov/ncas/current-activity/2017/10/03/Dnsmasq-Contains-Multiple-Vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13704

 



Tag: Linux , Dnsmasq , OpenBSD , NetBSD , FreeBSD , Android
Tags