edit-icon download-icon

[Vulnerability notice] Multiple high-risk vulnerabilities in dnsmasq

Last Updated: Mar 12, 2018

Dnsmasq is a small and easy-to-use DNS and DHCP configuration tool that provides the DNS function and optional DHCP function. This tool is widely used in small and medium business environments and cloud platforms. Many components, including libvirt, can use dnsmasq as a supporting tool.

On October 2, 2017, Google security team disclosed multiple dnsmasq vulnerabilities, among which vulnerabilities CVE-2017-14491, CVE-2017-14492, and CVE-2017-14493 are rated critical, and others such as CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, and CVE-2017-13704 are rated important.

Alibaba Cloud Security recommends that you check and update dnsmasq as soon as possible to prevent security incidents.

See the following for more information about the vulnerability.


CVE identifier

  • CVE-2017-14491
  • CVE-2017-14492
  • CVE-2017-14493
  • CVE-2017-14494
  • CVE-2017-14495
  • CVE-2017-14496
  • CVE-2017-13704

Vulnerability name

Dnsmasq multiple critical and important vulnerabilities

Vulnerability rating

Critical/Important

Vulnerability description

The affected dnsmasq service may undergo attacks that remotely run any code or DoS attacks, which bring risks of intrusion to hosts or service unavailability.

Affected scope

Some of these vulnerabilities affect DHCP functionality while others affect DNS, with impacts ranging from a crash, unbounded resource consumption up to potential code execution. All of them can be triggered by malicious users on the network.

CVE Severity Introduced Exposure Nature of Flaw
CVE-2017-14491 Critical All versions DNS Heap buffer overflow
CVE-2017-14492 Critical 2.60 – 2.66 IPv6 RA Heap buffer overflow
CVE-2017-14493 Critical 2.60 – 2.66 DHCPv6 Stack buffer overflow
CVE-2017-14494 Important 2.60 – 2.66 DHCPv6 Information leak
CVE-2017-14495 Important 2.76 ENDS0 Memory exhaustion
CVE-2017-14496 Important 2.76 EDNS0 Segmentation fault
CVE-2017-13704 Important 2.77 DNS Segmentation fault

Some of these vulnerabilities require particular options to be enabled to render dnsmasq vulnerable. These options can appear on the command line or in a configuration file:

CVE Configuration options that render dnsmasq vulnerable
CVE-2017-14492 enable-ra slaac ra-only ra-names ra-advrouter ra-stateless
CVE-2017-14495 add-mac add-cpe-id add-subnet
CVE-2017-14496 add-mac add-cpe-id add-subnet

Vulnerability detection

Development or O&M personnel check whether the dnsmasq software is affected by these vulnerabilities.

How to fix or mitigate

  • Use yum or apt-get to install the security updates released by the Linux publisher.

    Note: Back up system data before the upgrade.

    Ubuntu 14.04/16.04 LTS series users

    • Ubuntu 14.04 LTS series: Upgrade dnsmasq to 2.68-1ubuntu0.2.
    • Ubuntu 16.04 LTS series: Upgrade dnsmasq to 2.75-1ubuntu0.16.04.3.

    Procedure:

    1. Run the sudo apt-get update && sudo apt-get install dnsmasq command to update dnsmasq.
    2. Restart dnsmasq for the service to bring the update into effect.

    CentOS 6/7 series users

    • CentOS 7 series: Upgrade dnsmasq to 2.76-2.el7_4.2.
    • CentOS 6 series: Upgrade dnsmasq to 2.48-18.el6_9.

    Procedure:

    1. Run the yum clean all && yum makecache command to update the software source.
    2. Run the yum -y update dnsmasq command to update dnsmasq.
    3. Restart dnsmasq for the service to bring the update into effect.
  • Download the latest software version from the dnsmasq official website and install the software.

Reference

[1]. https://access.redhat.com/security/vulnerabilities/3199382
[2]. https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Thank you! We've received your feedback.