Google exposes seven severe flaws in Dnsmasq

Google researchers have publicly disclosed a set of serious bugs in a DNS software package which underpins many of today’s PCs and devices.

On Monday, the Google security team said the software package, Dnsmasq, contains seven security flaws including some which can lead to remote code execution and information leaks.

Dnsmasq is a lightweight network infrastructure builder for DNS, DHCP, router advertisement and network boot. As the software has a small footprint, it can often be found on home routers, backing up consumer Linux distributions, and within Internet of Things (IoT) devices, as well as for smartphone tethering and portable network hotspots.

Over one million instances of Dnsmaq being used can be found through the search engine Shodan.

According to Google’s investigation into the software, out of seven issues, three — CVE-2017-14491, CVE-2017-14492 and CVE-2017-14493 — are remote code execution flaws caused by heap buffer overflow and stack buffer overflow errors through DHCP and DNS vectors.

Another issue, CVE-2017-14494, can be exploited to bypass the Address space layout randomization (ASLR) memory protection function, leading to information leaks.

In addition, three more bugs, CVE-2017-14495, CVE-2017-14496, and CVE-2017-13704 can lead to denial-of-service (DoS) attacks caused by invalid boundary checks, bug collision, and a coding issue.

Proof-of-concept (PoC) code has been released for these vulnerabilities.

Google worked with the software’s maintainer, Simon Kelley, to create patches to mitigate or remove the bugs altogether. The fixes are now upstreamed and available through the Dnsmasq GitHub project page, while another patch has also been submitted which will allow Dnsmasq to run under seccomp-bpf to allow for additional sandboxing.

“We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake,” the team says.

Those using the latest version of Dnsmasq, version 2.78, are not affected by these vulnerabilities. The patch is also being included in the October security update for Android.

ABOUT THE AUTHOR

Leave a Reply

Your email address will not be published. Required fields are marked *

itechnewsonline.com offers clients the ability to target marketing campaigns that are web-only. These ad opportunities will give your products and services high exposure of our web users. For more information on how we can assist you in developing a program that will help you meet your marketing needs and objectives

ITECHNEWS ONLINE
P .O. Box KN 4057
Kaneshie, Accra
Ghana / West Africa
Call: 0302219093
Email: info@itechnewsonline.com

Newsletter

Saratoga Springs
18°
clear sky
humidity: 94%
wind: 6mph WNW
H 18 • L 18
18°
Wed
30°
Thu
24°
Fri
31°
Sat
32°
Sun
Weather from OpenWeatherMap