Vulnerability Note VU#973527
Dnsmasq contains multiple vulnerabilities
Original Release date: 02 Oct 2017 | Last revised: 02 Feb 2018
Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.
Multiple vulnerabilities have been reported in dnsmasq.
CWE-122: Heap-based Buffer Overflow – CVE-2017-14491
CWE-122: Heap-based Buffer Overflow – CVE-2017-14492
CWE-121: Stack-based Buffer Overflow – CVE-2017-14493
CWE-200: Information Exposure – CVE-2017-14494
CWE-400: Uncontrolled Resource Consumption(‘Resource Exhaustion’) – CVE-2017-14495
CWE-191: Integer Underflow – CVE-2017-14496
Please see the Google Security blog post for additional information.
Dnsmasq is a widely used piece of open-source software.
These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service.
In some cases an attacker would need to induce one or more DNS requests.
Apply an Update
dnsmasq version 2.78 has been released to address these vulnerabilities.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdateddnsmasqAffected25 Sep 201702 Oct 2017
Ruckus WirelessAffected25 Sep 201702 Feb 2018
TechnicolorAffected-18 Oct 2017
ZyXELAffected25 Sep 201702 Feb 2018
Brocade Communication SystemsNot Affected25 Sep 201702 Feb 2018
3com IncUnknown25 Sep 201725 Sep 2017
ACCESSUnknown25 Sep 201725 Sep 2017
ActiontecUnknown25 Sep 201725 Sep 2017
AerohiveUnknown25 Sep 201725 Sep 2017
Alcatel-LucentUnknown25 Sep 201725 Sep 2017
AmazonUnknown25 Sep 201725 Sep 2017
Android Open Source ProjectUnknown25 Sep 201725 Sep 2017
AppleUnknown25 Sep 201725 Sep 2017
Arch LinuxUnknown25 Sep 201725 Sep 2017
Arista Networks, Inc.Unknown25 Sep 201725 Sep 2017If you are a vendor and your product is affected, let
us know.View More »
CVSS Metrics (Learn More)
Thanks to Felix Wilhelm, Fermin J.
Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.
This document was written by Trent Novelly.
02 Oct 2017
Date First Published:
02 Oct 2017
Date Last Updated:
02 Feb 2018
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.