Overview
Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.
Description
Multiple vulnerabilities have been reported in dnsmasq. CWE-122: Heap-based Buffer Overflow - CVE-2017-14491 |
Impact
Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests. |
Solution
Apply an Update |
Vendor Information
Ruckus Wireless
Notified: September 25, 2017 Updated: February 02, 2018
Status
Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Technicolor
Updated: October 18, 2017
Statement Date: October 18, 2017
Status
Affected
Vendor Statement
We issued a security bulletin through the FIRST mailing list.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ZyXEL
Notified: September 25, 2017 Updated: February 02, 2018
Status
Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
https://www.zyxel.com/support/announcement_dnsmasq_vulnerabilities.shtml
dnsmasq
Notified: September 25, 2017 Updated: October 02, 2017
Status
Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Brocade Communication Systems
Notified: September 25, 2017 Updated: February 02, 2018
Status
Not Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
3com Inc
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
ACCESS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
AT&T
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Actiontec
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Aerohive
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Alcatel-Lucent
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Amazon
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Android Open Source Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Apple
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Arch Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Arista Networks, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Aruba Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
AsusTek Computer Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Avaya, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Belkin, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Broadcom
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
CA Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Check Point Software Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Cisco
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
CoreOS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
D-Link Systems, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Debian GNU/Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Dell
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
DesktopBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Devicescape
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
DragonFly BSD Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
EMC Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
EfficientIP SAS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Ericsson
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Espressif Systems
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Extreme Networks
Notified: September 26, 2017 Updated: September 26, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
F5 Networks, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Fedora Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Force10 Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
FreeBSD Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
GNU glibc
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
HTC
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
HardenedBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Hewlett Packard Enterprise
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Hitachi
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Huawei Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
IBM, INC.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Infoblox
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Intel Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Internet Systems Consortium
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Internet Systems Consortium - DHCP
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Joyent
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Juniper Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Lenovo
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
McAfee
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
MediaTek
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Medtronic
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Microsoft Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Motorola, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
NEC Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
NetBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Netgear, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Nokia
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Nominum
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
OmniTI
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
OpenBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
OpenDNS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Openwall GNU/*/Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Oracle Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Peplink
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Philips Electronics
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
PowerDNS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Pulse Secure
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
QNX Software Systems Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
QUALCOMM Incorporated
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Quantenna Communications
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Red Hat, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
SUSE Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
SafeNet
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Samsung Mobile
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Secure64 Software Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Sierra Wireless
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Slackware Linux Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
SmoothWall
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Snort
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Sony Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Sophos, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Sourcefire
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Symantec
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
TippingPoint Technologies Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Toshiba Commerce Solutions
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
TrueOS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Turbolinux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Ubiquiti Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Ubuntu
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Unisys
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
VMware
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Wind River
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Zebra Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
m0n0wall
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 8.7 | E:H/RL:OF/RC:C |
Environmental | 8.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.
This document was written by Trent Novelly.
Other Information
CVE IDs: | CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496 |
Date Public: | 2017-10-02 |
Date First Published: | 2017-10-02 |
Date Last Updated: | 2018-02-02 14:16 UTC |
Document Revision: | 25 |