Vulnerability Note VU#973527
Dnsmasq contains multiple vulnerabilities
Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.
Multiple vulnerabilities have been reported in dnsmasq.
CWE-122: Heap-based Buffer Overflow - CVE-2017-14491
CWE-122: Heap-based Buffer Overflow - CVE-2017-14492
CWE-121: Stack-based Buffer Overflow - CVE-2017-14493
CWE-200: Information Exposure - CVE-2017-14494
CWE-400: Uncontrolled Resource Consumption('Resource Exhaustion') - CVE-2017-14495
CWE-191: Integer Underflow - CVE-2017-14496
Please see the Google Security blog post for additional information.
Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests.
Apply an Update
dnsmasq version 2.78 has been released to address these vulnerabilities.
Vendor Information (Learn More)
If you are a vendor and your product is affected, let
us know.View More »
|Vendor||Status||Date Notified||Date Updated|
|dnsmasq||Affected||25 Sep 2017||02 Oct 2017|
|Ruckus Wireless||Affected||25 Sep 2017||02 Feb 2018|
|Technicolor||Affected||-||18 Oct 2017|
|ZyXEL||Affected||25 Sep 2017||02 Feb 2018|
|Brocade Communication Systems||Not Affected||25 Sep 2017||02 Feb 2018|
|3com Inc||Unknown||25 Sep 2017||25 Sep 2017|
|ACCESS||Unknown||25 Sep 2017||25 Sep 2017|
|Actiontec||Unknown||25 Sep 2017||25 Sep 2017|
|Aerohive||Unknown||25 Sep 2017||25 Sep 2017|
|Alcatel-Lucent||Unknown||25 Sep 2017||25 Sep 2017|
|Amazon||Unknown||25 Sep 2017||25 Sep 2017|
|Android Open Source Project||Unknown||25 Sep 2017||25 Sep 2017|
|Apple||Unknown||25 Sep 2017||25 Sep 2017|
|Arch Linux||Unknown||25 Sep 2017||25 Sep 2017|
|Arista Networks, Inc.||Unknown||25 Sep 2017||25 Sep 2017|
Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.
This document was written by Trent Novelly.
If you have feedback, comments, or additional information about this vulnerability, please send us email.