Vulnerability Note VU#973527

Dnsmasq contains multiple vulnerabilities

Original Release date: 02 Oct 2017 | Last revised: 18 Oct 2017

Overview

Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.

Description

Multiple vulnerabilities have been reported in dnsmasq.

CWE-122: Heap-based Buffer Overflow - CVE-2017-14491

CWE-122: Heap-based Buffer Overflow - CVE-2017-14492

CWE-121: Stack-based Buffer Overflow - CVE-2017-14493

CWE-200: Information Exposure - CVE-2017-14494

CWE-400: Uncontrolled Resource Consumption('Resource Exhaustion') - CVE-2017-14495

CWE-191: Integer Underflow - CVE-2017-14496

Please see the Google Security blog post for additional information.

Impact

Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests.

Solution

Apply an Update
dnsmasq version 2.78 has been released to address these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
dnsmasqAffected25 Sep 201702 Oct 2017
TechnicolorAffected-18 Oct 2017
3com IncUnknown25 Sep 201725 Sep 2017
ACCESSUnknown25 Sep 201725 Sep 2017
ActiontecUnknown25 Sep 201725 Sep 2017
AerohiveUnknown25 Sep 201725 Sep 2017
Alcatel-LucentUnknown25 Sep 201725 Sep 2017
AmazonUnknown25 Sep 201725 Sep 2017
Android Open Source ProjectUnknown25 Sep 201725 Sep 2017
AppleUnknown25 Sep 201725 Sep 2017
Arch LinuxUnknown25 Sep 201725 Sep 2017
Arista Networks, Inc.Unknown25 Sep 201725 Sep 2017
Aruba NetworksUnknown25 Sep 201725 Sep 2017
AsusTek Computer Inc.Unknown25 Sep 201725 Sep 2017
AT&TUnknown25 Sep 201725 Sep 2017
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:H/RL:OF/RC:C
Environmental 8.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.