Google researchers have publicly disclosed a set of serious bugs in a DNS software package which underpins many of today’s PCs and devices.
On Monday, the Google security team said the software package, Dnsmasq, contains seven security flaws including some which can lead to remote code execution and information leaks.
Dnsmasq is a lightweight network infrastructure builder for DNS, DHCP, router advertisement and network boot. As the software has a small footprint, it can often be found on home routers, backing up consumer Linux distributions, and within Internet of Things (IoT) devices, as well as for smartphone tethering and portable network hotspots.
Over one million instances of Dnsmaq being used can be found through the search engine Shodan.
According to Google’s investigation into the software, out of seven issues, three — CVE-2017-14491, CVE-2017-14492 and CVE-2017-14493 — are remote code execution flaws caused by heap buffer overflow and stack buffer overflow errors through DHCP and DNS vectors.
Another issue, CVE-2017-14494, can be exploited to bypass the Address space layout randomization (ASLR) memory protection function, leading to information leaks.
In addition, three more bugs, CVE-2017-14495, CVE-2017-14496, and CVE-2017-13704 can lead to denial-of-service (DoS) attacks caused by invalid boundary checks, bug collision, and a coding issue.
Proof-of-concept (PoC) code has been released for these vulnerabilities.
Google worked with the software’s maintainer, Simon Kelley, to create patches to mitigate or remove the bugs altogether. The fixes are now upstreamed and available through the Dnsmasq GitHub project page, while another patch has also been submitted which will allow Dnsmasq to run under seccomp-bpf to allow for additional sandboxing.
“We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake,” the team says.
Those using the latest version of Dnsmasq, version 2.78, are not affected by these vulnerabilities. The patch is also being included in the October security update for Android.