Researchers have discovered seven serious vulnerabilities in an open source DNS forwarder and DHCP server.
According to a blog post by Google's security team, Dnsmasq, which is used in many Linux distros and Internet of Things-type devices, can be exploited to execute remote code, leak information or carry out a DoS attack.
"We discovered seven distinct issues (listed below) over the course of our regular internal security assessments," said researchers.
"Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue."
The blog detailed the flaws. CVE-2017- 14491 is a DNS-based vulnerability that affects both directly exposed and internal network setups. Although the latest git version only allows a 2-byte overflow, this could be exploited based on previous research. Before version 2.76 and this commit the overflow is unrestricted.
CVE-2017- 14493 is a trivial-to- exploit DHCP-based, stack-based buffer overflow vulnerability. Android is affected by CVE-2017- 14496 when the attacker is local or tethered directly to the device—the service itself is sandboxed so the risk is reduced.
Users who have deployed the latest version of Dnsmasq (2.78) will be protected from the attacks discovered. “Android partners have received this patch as well and it will be included in Android's monthly security update for October. Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated,” said researchers.
Craig Young, security researcher at Tripwire, told SC Media UK that Dnsmasq is most commonly used in development environments as well as embedded or mobile devices. “While there may be dnsmasq on some corporate networks, it is less likely that it will be used on employee workstations or critical servers,” he said.
“The bigger risk as I see it would be for the compromise of employee home networks or the ability for an attacker to move laterally within a corporate network by infecting devices. In the corporate environment, IPS/IDS technology can be effective at recognising the malformed messages that would trigger the vulnerable conditions. At home however there are typically fewer options for defence since consumers are ultimately dependent on vendors for fixes.”
Pascal Geenens security evangelist at Radware told SC Media UK that quite simply the enormity of this can't be underestimated. "This is a big one. Lots of modems and routers are affected and will be left unprotected - some weeks, some months, some years... expect to see IoT botnets abuse these vulnerabilities in the coming weeks.”