{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2017-020.pdf"
    },
    "title": "Critical Vulnerabilities Impacting Dnsmasq",
    "serial_number": "2017-020",
    "publish_date": "04-10-2017 12:42:00",
    "description": "On October 2nd, 2017, Google published a blog post detailing severalcritical vulnerabilities impacting dnsmasq. Dnsmasq is widely used in Linux and BSD distributions, Android devices and proprietary firmwares for for serving DNS, DHCP, router advertisements, and network boot. It is often exposed to Internet and widely used on internal networks. The vulnerabilities allow an attacker to perform remote code execution, to get access to sensitive information, or to perform a denial-of-service attack on the service.",
    "url_title": "2017-020",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities Impacting\u00a0Dnsmasq'\nversion: '1.0'\nnumber: '2017-020'\nfontsize: '11pt'\n---\n\n_History:_\n\n* _04/10/2017 --- v1.0 -- Initial publication_\n\n\n# Summary\n\nOn October 2nd, 2017, Google published a blog post detailing several critical vulnerabilities impacting **dnsmasq**. Dnsmasq is widely used in Linux and BSD distributions, Android devices and proprietary firmwares for for serving DNS, DHCP, router advertisements, and network boot. It is often exposed to Internet and widely used on internal networks.\n\nGoogle worked with dnsmasq developers to patch vulnerabilities before releasing proof of concept code [4] and a patch file [5].\n\nThe vulnerabilities allow an attacker to perform remote code execution (3 vulnerabilities), to get access to sensitive information (1 vulnerability), or to perform a denial-of-service attack on the service (3 vulnerabilities).\n\n# Technical Details\n\n * CVE-2017-14491: DNS-based remote code execution via heap based overflow (2 bytes)\n * CVE-2017-14492: DHCP-based remote code execution via heap based overflow -- could be used to bypass ASLR if used in combination with CVE-2017-14494\n * CVE-2017-14493: DHCP-based remote code execution via stack based overflow\n * CVE-2017-14494: DHCP-based Information leak -- could be used to bypass ASLR\n * CVE-2017-14495: DNS-based denial-of-service\n * CVE-2017-14496: DNS-based denial-of-service, also affecting Android\n * CVE-2017-13704: DNS-based denial-of-service\n\n# Products Affected\n\n* Dnsmasq < 2.78\n\n# Recommendations\n\nFix is available through an upgrade to Dnsmasq version 2.78. [2]\n\nFor Android devices, Google released a patch in the October 2017 Security Bulletin [3]. For other Linux and BSD distributions contact your distribution maintainers for a fix.\n\n# References\n\n[1] Google blog post <https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html>\n\n[2] Dnsmasq changelog <http://www.thekelleys.org.uk/dnsmasq/CHANGELOG>\n\n[3] Android Security Bulletin -- October 2017 <https://source.android.com/security/bulletin/2017-10-01>\n\n[4] Proof of Concept code for vulnerabilities <https://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq>\n\n[5] Patch for dnsmasq source code <https://github.com/google/security-research-pocs/blob/master/vulnerabilities/dnsmasq/sandbox/dnsmasq-sandbox.patch>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>04/10/2017 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On October 2nd, 2017, Google published a blog post detailing several critical vulnerabilities impacting <strong>dnsmasq</strong>. Dnsmasq is widely used in Linux and BSD distributions, Android devices and proprietary firmwares for for serving DNS, DHCP, router advertisements, and network boot. It is often exposed to Internet and widely used on internal networks.</p><p>Google worked with dnsmasq developers to patch vulnerabilities before releasing proof of concept code [4] and a patch file [5].</p><p>The vulnerabilities allow an attacker to perform remote code execution (3 vulnerabilities), to get access to sensitive information (1 vulnerability), or to perform a denial-of-service attack on the service (3 vulnerabilities).</p><h2 id=\"technical-details\">Technical Details</h2><ul><li>CVE-2017-14491: DNS-based remote code execution via heap based overflow (2 bytes)</li><li>CVE-2017-14492: DHCP-based remote code execution via heap based overflow -- could be used to bypass ASLR if used in combination with CVE-2017-14494</li><li>CVE-2017-14493: DHCP-based remote code execution via stack based overflow</li><li>CVE-2017-14494: DHCP-based Information leak -- could be used to bypass ASLR</li><li>CVE-2017-14495: DNS-based denial-of-service</li><li>CVE-2017-14496: DNS-based denial-of-service, also affecting Android</li><li>CVE-2017-13704: DNS-based denial-of-service</li></ul><h2 id=\"products-affected\">Products Affected</h2><ul><li>Dnsmasq &lt; 2.78</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Fix is available through an upgrade to Dnsmasq version 2.78. [2]</p><p>For Android devices, Google released a patch in the October 2017 Security Bulletin [3]. For other Linux and BSD distributions contact your distribution maintainers for a fix.</p><h2 id=\"references\">References</h2><p>[1] Google blog post <a rel=\"noopener\" target=\"_blank\" href=\"https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html\">https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html</a></p><p>[2] Dnsmasq changelog <a rel=\"noopener\" target=\"_blank\" href=\"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\">http://www.thekelleys.org.uk/dnsmasq/CHANGELOG</a></p><p>[3] Android Security Bulletin -- October 2017 <a rel=\"noopener\" target=\"_blank\" href=\"https://source.android.com/security/bulletin/2017-10-01\">https://source.android.com/security/bulletin/2017-10-01</a></p><p>[4] Proof of Concept code for vulnerabilities <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq\">https://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq</a></p><p>[5] Patch for dnsmasq source code <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/google/security-research-pocs/blob/master/vulnerabilities/dnsmasq/sandbox/dnsmasq-sandbox.patch\">https://github.com/google/security-research-pocs/blob/master/vulnerabilities/dnsmasq/sandbox/dnsmasq-sandbox.patch</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}