Google is drawing attention to a set of “prehistoric” bugs in an open source Domain Name System (DNS) software package that gets installed on Linux distributions and is built-in to Android and Google's Kubernetes container software for the enterprise.
Among seven bugs found by Google and now patched in an updated version of dnsmasq are three remote code execution flaws, an information leakage issue, and three denial of service flaws. Google has published proof-of-concept exploit code as part of its effort to encourage developers and users to update software products and systems.
Dnsmasq software is used in networks that are open on the internet and private networks. As Google researchers note, it’s installed on everything from PCs running Linux distributions like Ubuntu, to home routers, and IoT devices. It's also a component of the Google-created software for steering containerized applications, Kubernetes, which Google offers as a container engine on the Google Cloud Platform.
Dnsmasq is a lightweight alternative to the Berkley Internet Name Domain or BIND Domain Name System (DNS) Server with functions including caching DNS queries to improve connection speeds to previously visited sites, and giving internal IP addresses to computers on a small local area network (LAN).
Dnsmasq maintainer Simon Kelley today announced dnsmasq version 2.78, which fixes “serious security vulnerabilities” found by Google, some of which have remained undetected since the software’s “prehistoric times”. The first version was released in 2001.
Google says it discovered the dnsmasq flaws during its routine internal security assessments.
"We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake," wrote the company's engineers.
They point to Shodan results for dnsmasq that suggest there over a million systems exposed to the internet that are running outdated versions of the software.
Google has already fixed its own cloud services and says a patch for one of the flaws affecting Android is coming to devices in the October monthly security update. Android device makers have already been handed the patch.
Google published its October Android security bulletin today with a note that supported versions of Android Open Source Project builds, from 4.4.4 to Android 8.0 Oreo, are affected. It's highly unlikely older versions of Android devices will ever see a patch.
Google notes that dnsmasq in Android is sandboxed so the risk of an attack is reduced. Also, an attacker needs to have possession of or be tethered directly to the device to exploit the flaw.
A bigger concern for the enterprise could be that, Kubernetes or K8s, which it created and donated to another project, is also affected. Versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 now include a patched DNS pod.
Kubernetes is deployed at most of the world’s largest firms, according to programming-sector analyst firm RedMonk.
An advisory from the Kubernetes’ security team notes that dnsmasq runs as part of the k8s-dns-dnsmasq-nanny container in the kube-dns pod. The team warns the bugs are “potentially remotely exploitable”.
“All Kubernetes clusters running k8s-dns-dnsmasq-nanny:1.14.4 and earlier are affected,” it says.
Version 1.14.5 of kube-dns containers has been released for all kube-dns containers and include the patched k8s-dns-dnsmasq-nanny:1.14.5, which fixes the vulnerability.
Ubuntu-maker Canonical meanwhile has told users of Ubuntu 17.04, 16.04 LTS, and 14.04 LTS to update to the appropriate dnsmasq package versions.
Google’s security researchers have also submitted a patch to the dnsmasq project for review that enables dnsmasq to run under a “secure computing with filters” tool that allows developers to provide additional sandboxing.