Vulnerability Note VU#973527
Dnsmasq contains multiple vulnerabilities
Original Release date: 02 Oct 2017 | Last revised: 18 Oct 2017

Overview
Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.

Description
Multiple vulnerabilities have been reported in dnsmasq.
CWE-122: Heap-based Buffer Overflow – CVE-2017-14491

CWE-122: Heap-based Buffer Overflow – CVE-2017-14492

CWE-121: Stack-based Buffer Overflow – CVE-2017-14493

CWE-200: Information Exposure – CVE-2017-14494

CWE-400: Uncontrolled Resource Consumption(‘Resource Exhaustion’) – CVE-2017-14495

CWE-191: Integer Underflow – CVE-2017-14496

Please see the Google Security blog post for additional information.

Impact
Dnsmasq is a widely used piece of open-source software.

These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service.
In some cases an attacker would need to induce one or more DNS requests.

Solution
Apply an Update
dnsmasq version 2.78 has been released to address these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdateddnsmasqAffected25 Sep 201702 Oct 2017
TechnicolorAffected-18 Oct 2017
3com IncUnknown25 Sep 201725 Sep 2017
ACCESSUnknown25 Sep 201725 Sep 2017
ActiontecUnknown25 Sep 201725 Sep 2017
AerohiveUnknown25 Sep 201725 Sep 2017
Alcatel-LucentUnknown25 Sep 201725 Sep 2017
AmazonUnknown25 Sep 201725 Sep 2017
Android Open Source ProjectUnknown25 Sep 201725 Sep 2017
AppleUnknown25 Sep 201725 Sep 2017
Arch LinuxUnknown25 Sep 201725 Sep 2017
Arista Networks, Inc.Unknown25 Sep 201725 Sep 2017
Aruba NetworksUnknown25 Sep 201725 Sep 2017
AsusTek Computer Inc.Unknown25 Sep 201725 Sep 2017
ATTUnknown25 Sep 201725 Sep 2017If you are a vendor and your product is affected, let
us know.View More &raquo

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
8.7
E:H/RL:OF/RC:C

Environmental
8.7
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

http://www.thekelleys.org.uk/dnsmasq/doc.html
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Credit

Thanks to Felix Wilhelm, Fermin J.
Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.
This document was written by Trent Novelly.

Other Information

CVE IDs:
CVE-2017-14491
CVE-2017-14492
CVE-2017-14493
CVE-2017-14494
CVE-2017-14495
CVE-2017-14496

Date Public:
02 Oct 2017

Date First Published:
02 Oct 2017

Date Last Updated:
18 Oct 2017

Document Revision:
21

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply