Google researchers disclosed seven serious flaws in an open-source DNS software package Dnsmasq, which is is commonly preinstalled on routers, servers, smartphones, IoT devices and operating systems such the Linux distributions Ubuntu and Debian. The most severe of the vulnerabilities could be remotely exploited to run malicious code and hijack the device.
The disclosed vulnerabilities include three that could lead to remote code execution, three that could result in denial of service and one information leak. A SHODAN search currently shows 1,096,599 instances worldwide.
According to the description provided by Dnsmasq:
Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD.
Yesterday on the Google Security Blog, researchers revealed they had discovered the vulnerabilities “over the course of our regular internal security assessments.” They privately reported the flaws to the Simon Kelley, the maintainer of the Dnsmasq project, and worked to create patches to mitigate the flaws.
'Prehistoric' yet previously undetected vulnerabilities
According to Kelley, “Some of these, including the most serious, have been in Dnsmasq since prehistoric times, and have remained undetected through multiple previous security audits.” The issues were resolved in the new stable release of Dnsmasq 2.78; Kelley said the “update should be mandatory.”
Google noted, “Android partners have received this patch as well and it will be included in Android's monthly security update for October. Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.”
US-CERT list of vendors affected by the flaws
The researchers provided proof-of-concept code for six of the seven bugs, so people can check if they are affected by the issues. Vendors and other projects using Dnsmasq should apply the patches immediately. US-CERT published a vulnerability notice and compiled a list of 100 vendors that may be affected by the security flaws. You should take a look at that list because it features a large number of big name OS, security solution, IoT device, computer, smartphone and server vendors.
As Bleeping Computer pointed out about the published proof-of-concept code, “Unfortunately, attackers can easily weaponize these PoC exploits to attack vulnerable devices/networks.”
The 7 security flaws in Dnsmasq
The security vulnerabilities disclosed by Google include:
CVE-2017-14491, CVE-2017-14492 and CVE-2017-14493 are RCE flaws. CVE-2017-14491 is a DNS-based flaw “that affects both directly exposed and internal network setups.” CVE-2017-14492 works via a heap-based overflow against the DHCP vector. Google called CVE-2017-14493 a “trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability.”
CVE-2017-14494 is an information leak in the DHCP vector. Google noted that the RCE CVE-2017-14493 “in combination with CVE-2017-14494 acting as an info leak,” could allow an attacker to “bypass ASLR and gain remote code execution.”
CVE-2017-14495, CVE-2017-14496 and CVE-2017-13704 are denial-of-service flaws in the DNS vector. Google added, “Android is affected by CVE-2017-14496 when the attacker is local or tethered directly to the device — the service itself is sandboxed, so the risk is reduced. Android partners received patches on 5 September 2017 and devices with a 2017-10-01 security patch level or later address this issue.”