Overview
Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.
Description
Multiple vulnerabilities have been reported in dnsmasq. CWE-122: Heap-based Buffer Overflow - CVE-2017-14491 |
Impact
Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests. |
Solution
Apply an Update |
Vendor Information
Ruckus Wireless
Notified: September 25, 2017 Updated: February 02, 2018
Status
Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Technicolor
Updated: October 18, 2017
Statement Date: October 18, 2017
Status
Affected
Vendor Statement
We issued a security bulletin through the FIRST mailing list.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ZyXEL
Notified: September 25, 2017 Updated: February 02, 2018
Status
Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
dnsmasq
Notified: September 25, 2017 Updated: October 02, 2017
Status
Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Brocade Communication Systems
Notified: September 25, 2017 Updated: February 02, 2018
Status
Not Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
3com Inc
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
ACCESS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
AT&T
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Actiontec
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Aerohive
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Alcatel-Lucent
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Amazon
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Android Open Source Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Apple
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Arch Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Arista Networks, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Aruba Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
AsusTek Computer Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Avaya, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Belkin, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Broadcom
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
CA Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Check Point Software Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Cisco
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
CoreOS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
D-Link Systems, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Debian GNU/Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Dell
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
DesktopBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Devicescape
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
DragonFly BSD Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
EMC Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
EfficientIP SAS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Ericsson
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Espressif Systems
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Extreme Networks
Notified: September 26, 2017 Updated: September 26, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
F5 Networks, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Fedora Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Force10 Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
FreeBSD Project
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
GNU glibc
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
HTC
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
HardenedBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Hewlett Packard Enterprise
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Hitachi
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Huawei Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
IBM, INC.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Infoblox
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Intel Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Internet Systems Consortium
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Internet Systems Consortium - DHCP
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Joyent
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Juniper Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Lenovo
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
McAfee
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
MediaTek
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Medtronic
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Microsoft Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Motorola, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
NEC Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
NetBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Netgear, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Nokia
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Nominum
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
OmniTI
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
OpenBSD
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
OpenDNS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Openwall GNU/*/Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Oracle Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Peplink
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Philips Electronics
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
PowerDNS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Pulse Secure
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
QNX Software Systems Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
QUALCOMM Incorporated
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Quantenna Communications
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Red Hat, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
SUSE Linux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
SafeNet
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Samsung Mobile
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Secure64 Software Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Sierra Wireless
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Slackware Linux Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
SmoothWall
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Snort
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Sony Corporation
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Sophos, Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Sourcefire
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Symantec
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
TippingPoint Technologies Inc.
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Toshiba Commerce Solutions
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
TrueOS
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Turbolinux
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Ubiquiti Networks
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Ubuntu
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Unisys
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
VMware
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Wind River
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
Zebra Technologies
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
m0n0wall
Notified: September 25, 2017 Updated: September 25, 2017
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.7 | E:H/RL:OF/RC:C |
| Environmental | 8.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.
This document was written by Trent Novelly.
Other Information
| CVE IDs: | CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496 |
| Date Public: | 2017-10-02 |
| Date First Published: | 2017-10-02 |
| Date Last Updated: | 2018-02-02 14:16 UTC |
| Document Revision: | 25 |