search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Dnsmasq contains multiple vulnerabilities

Vulnerability Note VU#973527

Original Release Date: 2017-10-02 | Last Revised: 2018-02-02

Overview

Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.

Description

Multiple vulnerabilities have been reported in dnsmasq.

CWE-122: Heap-based Buffer Overflow - CVE-2017-14491

CWE-122: Heap-based Buffer Overflow - CVE-2017-14492

CWE-121: Stack-based Buffer Overflow - CVE-2017-14493

CWE-200: Information Exposure - CVE-2017-14494

CWE-400: Uncontrolled Resource Consumption('Resource Exhaustion') - CVE-2017-14495

CWE-191: Integer Underflow - CVE-2017-14496

Please see the Google Security blog post for additional information.

Impact

Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests.

Solution

Apply an Update
dnsmasq version 2.78 has been released to address these vulnerabilities.

Vendor Information

973527
 
Affected   Unknown   Unaffected

Ruckus Wireless

Notified:  September 25, 2017 Updated:  February 02, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Technicolor

Updated:  October 18, 2017

Statement Date:   October 18, 2017

Status

  Affected

Vendor Statement

We issued a security bulletin through the FIRST mailing list.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL

Notified:  September 25, 2017 Updated:  February 02, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

dnsmasq

Notified:  September 25, 2017 Updated:  October 02, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Brocade Communication Systems

Notified:  September 25, 2017 Updated:  February 02, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

3com Inc

Notified:  September 25, 2017 Updated:  September 25, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    ACCESS

    Notified:  September 25, 2017 Updated:  September 25, 2017

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      AT&T

      Notified:  September 25, 2017 Updated:  September 25, 2017

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Actiontec

        Notified:  September 25, 2017 Updated:  September 25, 2017

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Aerohive

          Notified:  September 25, 2017 Updated:  September 25, 2017

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Alcatel-Lucent

            Notified:  September 25, 2017 Updated:  September 25, 2017

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Amazon

              Notified:  September 25, 2017 Updated:  September 25, 2017

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Android Open Source Project

                Notified:  September 25, 2017 Updated:  September 25, 2017

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Apple

                  Notified:  September 25, 2017 Updated:  September 25, 2017

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Arch Linux

                    Notified:  September 25, 2017 Updated:  September 25, 2017

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Arista Networks, Inc.

                      Notified:  September 25, 2017 Updated:  September 25, 2017

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Aruba Networks

                        Notified:  September 25, 2017 Updated:  September 25, 2017

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          AsusTek Computer Inc.

                          Notified:  September 25, 2017 Updated:  September 25, 2017

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Avaya, Inc.

                            Notified:  September 25, 2017 Updated:  September 25, 2017

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Belkin, Inc.

                              Notified:  September 25, 2017 Updated:  September 25, 2017

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Broadcom

                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  CA Technologies

                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Check Point Software Technologies

                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Cisco

                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        CoreOS

                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          D-Link Systems, Inc.

                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Debian GNU/Linux

                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Dell

                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                DesktopBSD

                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Devicescape

                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    DragonFly BSD Project

                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      EMC Corporation

                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        EfficientIP SAS

                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Ericsson

                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Espressif Systems

                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Extreme Networks

                                                              Notified:  September 26, 2017 Updated:  September 26, 2017

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                F5 Networks, Inc.

                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Fedora Project

                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Force10 Networks

                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      FreeBSD Project

                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        GNU glibc

                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Google

                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            HTC

                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              HardenedBSD

                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Hewlett Packard Enterprise

                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Hitachi

                                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Huawei Technologies

                                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      IBM, INC.

                                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        Infoblox

                                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Intel Corporation

                                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Internet Systems Consortium

                                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Internet Systems Consortium - DHCP

                                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                Joyent

                                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Juniper Networks

                                                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Lenovo

                                                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      McAfee

                                                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        MediaTek

                                                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Medtronic

                                                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Microsoft Corporation

                                                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Motorola, Inc.

                                                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                NEC Corporation

                                                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  NetBSD

                                                                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Netgear, Inc.

                                                                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Nokia

                                                                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        Nominum

                                                                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          OmniTI

                                                                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            OpenBSD

                                                                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              OpenDNS

                                                                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Openwall GNU/*/Linux

                                                                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Oracle Corporation

                                                                                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Peplink

                                                                                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Philips Electronics

                                                                                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        PowerDNS

                                                                                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          Pulse Secure

                                                                                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            QNX Software Systems Inc.

                                                                                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              QUALCOMM Incorporated

                                                                                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                Quantenna Communications

                                                                                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  Red Hat, Inc.

                                                                                                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    SUSE Linux

                                                                                                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      SafeNet

                                                                                                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        Samsung Mobile

                                                                                                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          Secure64 Software Corporation

                                                                                                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                          Status

                                                                                                                                                            Unknown

                                                                                                                                                          Vendor Statement

                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                          Vendor References

                                                                                                                                                            Sierra Wireless

                                                                                                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                            Status

                                                                                                                                                              Unknown

                                                                                                                                                            Vendor Statement

                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                            Vendor References

                                                                                                                                                              Slackware Linux Inc.

                                                                                                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                              Status

                                                                                                                                                                Unknown

                                                                                                                                                              Vendor Statement

                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                              Vendor References

                                                                                                                                                                SmoothWall

                                                                                                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                Status

                                                                                                                                                                  Unknown

                                                                                                                                                                Vendor Statement

                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                Vendor References

                                                                                                                                                                  Snort

                                                                                                                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                  Status

                                                                                                                                                                    Unknown

                                                                                                                                                                  Vendor Statement

                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                  Vendor References

                                                                                                                                                                    Sony Corporation

                                                                                                                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                    Status

                                                                                                                                                                      Unknown

                                                                                                                                                                    Vendor Statement

                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                    Vendor References

                                                                                                                                                                      Sophos, Inc.

                                                                                                                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                      Status

                                                                                                                                                                        Unknown

                                                                                                                                                                      Vendor Statement

                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                      Vendor References

                                                                                                                                                                        Sourcefire

                                                                                                                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                        Status

                                                                                                                                                                          Unknown

                                                                                                                                                                        Vendor Statement

                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                        Vendor References

                                                                                                                                                                          Symantec

                                                                                                                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                          Status

                                                                                                                                                                            Unknown

                                                                                                                                                                          Vendor Statement

                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                          Vendor References

                                                                                                                                                                            TippingPoint Technologies Inc.

                                                                                                                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                            Status

                                                                                                                                                                              Unknown

                                                                                                                                                                            Vendor Statement

                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                            Vendor References

                                                                                                                                                                              Toshiba Commerce Solutions

                                                                                                                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                              Status

                                                                                                                                                                                Unknown

                                                                                                                                                                              Vendor Statement

                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                              Vendor References

                                                                                                                                                                                TrueOS

                                                                                                                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                Status

                                                                                                                                                                                  Unknown

                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                Vendor References

                                                                                                                                                                                  Turbolinux

                                                                                                                                                                                  Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                  Status

                                                                                                                                                                                    Unknown

                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                  Vendor References

                                                                                                                                                                                    Ubiquiti Networks

                                                                                                                                                                                    Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                    Status

                                                                                                                                                                                      Unknown

                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                    Vendor References

                                                                                                                                                                                      Ubuntu

                                                                                                                                                                                      Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                      Status

                                                                                                                                                                                        Unknown

                                                                                                                                                                                      Vendor Statement

                                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                      Vendor References

                                                                                                                                                                                        Unisys

                                                                                                                                                                                        Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                        Status

                                                                                                                                                                                          Unknown

                                                                                                                                                                                        Vendor Statement

                                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                        Vendor References

                                                                                                                                                                                          VMware

                                                                                                                                                                                          Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                          Status

                                                                                                                                                                                            Unknown

                                                                                                                                                                                          Vendor Statement

                                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                          Vendor References

                                                                                                                                                                                            Wind River

                                                                                                                                                                                            Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                            Status

                                                                                                                                                                                              Unknown

                                                                                                                                                                                            Vendor Statement

                                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                            Vendor References

                                                                                                                                                                                              Zebra Technologies

                                                                                                                                                                                              Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                              Status

                                                                                                                                                                                                Unknown

                                                                                                                                                                                              Vendor Statement

                                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                              Vendor References

                                                                                                                                                                                                m0n0wall

                                                                                                                                                                                                Notified:  September 25, 2017 Updated:  September 25, 2017

                                                                                                                                                                                                Status

                                                                                                                                                                                                  Unknown

                                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                Vendor References

                                                                                                                                                                                                  View all 101 vendors View less vendors


                                                                                                                                                                                                  CVSS Metrics

                                                                                                                                                                                                  Group Score Vector
                                                                                                                                                                                                  Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
                                                                                                                                                                                                  Temporal 8.7 E:H/RL:OF/RC:C
                                                                                                                                                                                                  Environmental 8.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                                                                                                                                                                  References

                                                                                                                                                                                                  Acknowledgements

                                                                                                                                                                                                  Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.

                                                                                                                                                                                                  This document was written by Trent Novelly.

                                                                                                                                                                                                  Other Information

                                                                                                                                                                                                  CVE IDs: CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496
                                                                                                                                                                                                  Date Public: 2017-10-02
                                                                                                                                                                                                  Date First Published: 2017-10-02
                                                                                                                                                                                                  Date Last Updated: 2018-02-02 14:16 UTC
                                                                                                                                                                                                  Document Revision: 25

                                                                                                                                                                                                  Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.