search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Dnsmasq contains multiple vulnerabilities

Vulnerability Note VU#973527

Original Release Date: 2017-10-02 | Last Revised: 2018-02-02

Overview

Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.

Description

Multiple vulnerabilities have been reported in dnsmasq.

CWE-122: Heap-based Buffer Overflow - CVE-2017-14491

CWE-122: Heap-based Buffer Overflow - CVE-2017-14492

CWE-121: Stack-based Buffer Overflow - CVE-2017-14493

CWE-200: Information Exposure - CVE-2017-14494

CWE-400: Uncontrolled Resource Consumption('Resource Exhaustion') - CVE-2017-14495

CWE-191: Integer Underflow - CVE-2017-14496

Please see the Google Security blog post for additional information.

Impact

Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests.

Solution

Apply an Update
dnsmasq version 2.78 has been released to address these vulnerabilities.

Vendor Information

973527
 
Affected   Unknown   Unaffected

Ruckus Wireless

Notified:  September 25, 2017 Updated:  February 02, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.ruckuswireless.com/security

Technicolor

Updated:  October 18, 2017

Statement Date:   October 18, 2017

Status

  Affected

Vendor Statement

We issued a security bulletin through the FIRST mailing list.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL

Notified:  September 25, 2017 Updated:  February 02, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.zyxel.com/support/announcement_dnsmasq_vulnerabilities.shtml

dnsmasq

Notified:  September 25, 2017 Updated:  October 02, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Brocade Communication Systems

Notified:  September 25, 2017 Updated:  February 02, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

3com Inc

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ACCESS

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Actiontec

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Aerohive

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Amazon

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Android Open Source Project

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arista Networks, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Aruba Networks

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AsusTek Computer Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Broadcom

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cisco

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CoreOS

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Debian GNU/Linux

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Dell

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Devicescape

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EfficientIP SAS

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Espressif Systems

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  September 26, 2017 Updated:  September 26, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

FreeBSD Project

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GNU glibc

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

HTC

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

HardenedBSD

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hitachi

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM, INC.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Infoblox

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium - DHCP

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Joyent

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Lenovo

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

MediaTek

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Medtronic

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Motorola, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Netgear, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nokia

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nominum

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenBSD

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenDNS

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Philips Electronics

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PowerDNS

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Pulse Secure

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QUALCOMM Incorporated

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Quantenna Communications

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Red Hat, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Samsung Mobile

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Secure64 Software Corporation

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sierra Wireless

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sophos, Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Toshiba Commerce Solutions

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TrueOS

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ubiquiti Networks

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ubuntu

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Wind River

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Zebra Technologies

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:H/RL:OF/RC:C
Environmental 8.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496
Date Public: 2017-10-02
Date First Published: 2017-10-02
Date Last Updated: 2018-02-02 14:16 UTC
Document Revision: 25

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.