Critical Vulnerabilities Discovered in dnsmasq

Various vulnerabilities have been discovered in dnsmasq, an open source framework for managing DNS, DHCP, Router Advertisement, network boot etc. These issues were discovered in versions prior to 2.78 . The vulnerabilities were disclosed to CERT/CC by Google Security Team. These vulnerabilities can be exploited remotely via DNS and DHCP protocol.

CVE Protocol Description
CVE-2017-14491 DNS 2 byte heap based overflow
CVE-2017-14492 DHCP Heap based overflow
CVE-2017-14493 DHCP Stack based overflow
CVE-2017-14494 DHCP Information leak
CVE-2017-14495 DNS DoS due to Out-Of-Memory
CVE-2017-14496 DNS DoS due to Integer underflow
CVE-2017-13704 DNS DoS due to DNS queries larger that 512 bytes

Currently CERT/CC is tracking the issue on ticket 973527.

Vulnerability:
The vulnerabilities range from buffer overflows to DoS due to memory exhaustion, integer under-flows and Information leak. As per the dnsmasq changelogs these bugs are addressed in version 2.78. The Google Security Team has released PoC for each of the vulnerabilities disclosed by them except for CVE-2017-13704.

CVE-2017-14491: A crafted domain name request triggers a heap overflow in the DNS component. This overflow can result in a crash or allow the attacker to gain control of the target.

CVE-2017-14492: A crafted RA request in IPv6 can cause a heap overflow and result in a crash or target take over. Attacker must be on the local network to exploit this vulnerability.

CVE-2017-14493: A crafted request in DHCPv6 can cause a stack overflow leading to crash or target take over.

CVE-2017-14494: A custom DHCPv6 packet can cause dnsmasq to respond with information beyond the packet buffer, this leads to information leak. This leaked information can aid in bypassing ASLR.

CVE-2017-14495: Crafted DNS queries can trigger memory allocation(s) in the add_pseudoheader function. The function fails to free the allocated memory, this leads to DoS due to out-of-memory condition.

CVE-2017-14496: DoS can occur when function add_pseudoheader tries to allocate memory using memcpy with a negative size as an argument. This can be trigger via malicious DNS queries.

CVE-2017-13704: A UDP DNS query which exceeds 512 bytes can crash the target resulting in DoS.

Fixes:
CVE-2017-14492: A bounds was included in function icmp6_packet() in radv.c to limit the size of presentation domain name to 1025 bytes.

MAXDNAME = 1025 bytes limits domain name length

CVE-2017-14493: A check is included in function dhcp6_maybe_relay to make sure the client hardware address (CHADDR) in the received DHCP packet is limited to 16 bytes.

CHADDR limited to 16 bytes

CVE-2017-14494: The variable end points to the actual length of the options field in the packet. The if condition checks if the current position is within the bounds of the options field.

Bounds checks for opt

CVE-2017-14495: Freeing allocated memory in function add_pseudoheader().

free() called for de-allocation

CVE-2017-14496: Multiple checks are included to make sure that optlen is non negative integer.

optlen is validated before passing as an argument for memcpy()

CVE-2017-13704: The address locations after the packet buffer is set to zero to avoid information disclosure.

memset zeroes out the address locations after the buffer

Mitigation:
We request organizations to scan their networks with the QIDs listed below to detect vulnerable targets.

CVE(s) QID Description
CVE-2017-14491 390008 Oracle VM Server for x86 Security Update for dnsmasq (OVMSA-2017-0160)
256313 CentOS Security Update for dnsmasq (CESA-2017:2838)
157571 Oracle Enterprise Linux Security Update for dnsmasq (ELSA-2017-2840)
236522 Red Hat Update for dnsmasq (RHSA-2017:2840)
236521 Red Hat Update for dnsmasq (RHSA-2017:2839)
236520 Red Hat Update for dnsmasq (RHSA-2017:2838)
157567 Oracle Enterprise Linux Security Update for dnsmasq (ELSA-2017-2838)
CVE-2017-14491,
CVE-2017-14492,
CVE-2017-14493,
CVE-2017-14494
236519 Red Hat Update for dnsmasq (RHSA-2017:2837)
CVE-2017-14491,
CVE-2017-14492,
CVE-2017-14493,
CVE-2017-14494,
CVE-2017-14495,
CVE-2017-14496
170408 OpenSUSE Security Update for dnsmasq (openSUSE-SU-2017:2633-1)
370602 OpenBSD DNSMasq Multiple Vulnerabilities
370600 FreeBSD DNSMasq Multiple Vulnerabilities
256314 CentOS Security Update for dnsmasq (CESA-2017:2836)
351105 Amazon Linux Security Advisory for dnsmasq: ALAS-2017-907
196922 Ubuntu Security Notification for Dnsmasq Vulnerabilities (USN-3430-1)
236518 Red Hat Update for dnsmasq (RHSA-2017:2836)
170388 SUSE Enterprise Linux Security Update for dnsmasq (SUSE-SU-2017:2619-1)
170387 SUSE Enterprise Linux Security Update for dnsmasq (SUSE-SU-2017:2618-1)
176169 Debian Security Update for dnsmasq (DSA 3989-1)
157566 Oracle Enterprise Linux Security Update for dnsmasq (ELSA-2017-2836)
CVE-2017-14491,
CVE-2017-14492,
CVE-2017-14493,
CVE-2017-14494,
CVE-2017-14495,
CVE-2017-14496,
CVE-2017-13704
15098 DNSmasq DNS And DHCP Multiple Remote Vulnerabilities


References:
Please continue to Follow ThreatProtect for information regarding these vulnerabilities.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities
dnsmasq CHANGELOG
dnsmasq PoC

Leave a Reply

Your email address will not be published. Required fields are marked *