Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks.A scan for “Dnsmasq” using the Internet search engine Shodan reveals over 1.1 million instances worldwide.
Google Security researchers discovered seven distinct issues (listed below) over the course of our regular internal security assessments. They said Once they determined the severity of these issues, they worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. They also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue.
Tech team said the patches have been upstreamed and are now committed to the project’s git repository. In addition to these patches they have also submitted another patch which will run Dnsmasq under seccomp-bpf to allow for additional sandboxing. This patch has been submitted to the DNSmasq project for review and they have also made it available here for those who wish to integrate it into an existing install (after testing, of course!). They believe the adoption of this patch will increase the security of DNSMasq installations.
Users who have deployed the latest version of Dnsmasq (2.78) will be protected from the attacks discovered. Android partners have received this patch as well and it will be included in Android’s monthly security update for October. Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.
During their review, the team found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017. The full list of flaws is as follows:
|CVE-2017-14491||RCE||DNS||Heap based overflow (2 bytes). Before 2.76 and this commit overflow was unrestricted.||poC, Instructions and ASAN report|
|CVE-2017-14492||RCE||DHCP||Heap based overflow.||poC, Instructions and ASAN report|
|CVE-2017-14493||RCE||DHCP||Stack Based overflow.||poC, Instructions and ASAN report|
|CVE-2017-14494||Information Leak||DHCP||Can help bypass ASLR.||poC, and
|CVE-2017-14495||OOM/DoS||DNS||Lack of free() here.||poC, and Instructions|
|CVE-2017-14496||DoS||DNS||Invalid boundary checks here. Integer underflow leading to a huge memcpy.||poC, Instructions and ASAN report|
|CVE-2017-13704||DoS||DNS||Bug collision with CVE-2017-13704
These seven flaws include three that can be exploited to perform remote code execution, three more that can be used in denial of service attacks, and one information-leaking blunder. The full list of flaws is as follows: The Google Security Team has released proof-of-concept (PoC) code for each of the vulnerabilities as listed below
- CVE-2017-14491 –It is a DNS-based vulnerability that affects both directly exposed and internal network setups. Although the latest git version only allows a 2-byte overflow, this could be exploited based on previous research. Before version 2.76 and this commit the overflow is unrestricted.
==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp0x7fff6165b9a8
WRITE of size 1 at 0x62200001dd0b thread T0
#0 0x5105e6 in add_resource_record
#1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11
#2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11
#3 0x548486 in check_dns_listeners
#4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
- CVE-2017-14492 – The second remote code execution flaw works via a heap-based overflow.
- CVE-2017-14493 –is a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability. In combination with CVE-2017-14494 acting as an info leak, an attacker could bypass ASLR and gain remote code execution.dnsmasq: segfault at 1337deadbeef ip 00001337deadbeef sp 00007fff1b66fd10 error 14 in libnss_files- 2.24.so[7f7cfbacb000+a000]
- CVE-2017-14494 – This is an information leak in DHCP which, when using in conjunction with CVE-2017-14493, lets an attacker bypass the security mechanism ASLR and attempt to run code on a target system.
- CVE-2017-14495 – A limited flaw this one, but can be exploited to launch a denial of service attack by exhausting memory. Dnsmasq is only vulnerable, however, if the command line switches –add-mac, –add-cpe-id or –add-subnet are used.
- CVE-2017-14496 – Here the DNS code performs invalid boundary checks, allowing a system to be crashed using an integer underflow leading to a huge memcpy() call. Android systems are affected if the attacker is local or tethered directly to the device.
- CVE-2017-13704 – A large DNS query can crash the software.