How to protect your systems from newly-discovered Dnsmasq vulnerabilities


Google just lately introduced that they’ve found seven new vulnerabilities within the Domain Name System software program bundle Dnsmasq, which offers DNS identify decision companies to translate domains to their corresponding IP addresses for connectivity functions.

A submit on the corporate’s safety weblog stated that the group “found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017.” In different phrases, the exploit may acquire administrative privileges on a tool, present entry to confidential data or adversely influence machine operation.

The exploit can’t be triggered through unsolicited inbound site visitors.To leverage the vulnerability, an attacker would want to have administrative entry to a malicious area resembling The attacker may then lure customers to attempt to entry which might depend on DNS requests by the dnsmasq module. These requests would contain cached replies from By setting up or arranging particular DNS requests and responses, an attacker may set off an inner buffer overflow through dnsmasq which may execute code they’ve offered.

Dnsmasq additionally options DHCP companies in addition to community features resembling router promoting and community boot. It is often used and operates upon an array of working programs and gadgets; Red Hat Enterprise Linux, Ubuntu, Debian, CentOS, Slackware, Android, FreeBSD, OpenBSD, NetBSD, macOS, and numerous house routers and IoT gadgets.

Red Hat confirmed crucial Dnsmasq heap buffer overflow vulnerability (CVE-2017-14491) thought of to be “the worst vulnerability” has the potential to have an effect on all variations of Dnsmasq of their merchandise.

SEE: Network safety coverage (Tech Pro Research)

While it is a pretty typical set of vulnerabilities for working programs, the Dnsmasq difficulty has the potential to loom massive within the IoT realm. Shodan, a search engine for IoT-related gadgets, reviews that at current over 1.2 million gadgets can doubtlessly be impacted.

Craig Young, pc safety researcher for Tripwire’s Vulnerability and Exposures Research Team, stated that the vulnerabilities could have minimal influence in opposition to Android because of present safety mechanisms, however they might trigger way more hassle for IoT all over the place. “The CVE-2017-14491 bug is classified as being an RCE bug exploitable through crafted DNS replies. Fortunately, there are many factors making it unlikely that attackers will incorporate exploits for this vulnerability into something like Mirai (Malware which can turn networked devices using Linux into remote-controlled bots which can launch attacks on systems and networks),” he wrote.

Young acknowledged that the almost certainly assault situation he may envision could be an assault marketing campaign using crafted net pages, IMs, and emails supposed to set off outbound DNS requests to a server within the attacker’s management.

“While some on the Internet have claimed that this vulnerability can only be exploited by a PTR (reverse DNS) record query, my assessment is that a crafted response to a canonical name record (CNAME or alias) can trigger the vulnerability making this attack possible,” he stated.

Even on this situation nonetheless, Young stated it’s unlikely that an exploit might be crafted to reliably get code execution on the big selection of weak gadgets all doubtlessly working completely different OS variations with completely different libraries and variations of dnsmasq. Nevertheless, he acknowledged it’s nonetheless a crucial crucial for IoT distributors to deal with the subject and develop updates for affected merchandise since the opportunity of widespread assault can’t be solely dominated out.

SEE: Defending in opposition to cyberwar: How the cybersecurity elite are working to stop a digital apocalypse (free PDF) (TechRepublic)

What do you could do?

As a system administrator, I agree with Young: no matter risk degree or severity, vulnerabilities ought to all the time be patched because it makes for finest practices and infrequently safety or governance necessities depart you no selection.

For Red Hat working programs, run yum replace -y to patch all present implementations of Dnsmasq. Ubuntu customers ought to make the most of the “sudo apt-get upgrade” command to use all out there updates. Update mechanisms might differ for FreeBSD, OpenBSD and NetBSD, however the “pkg_add -ui” command ought to work for all of them. Mac OS customers can use the App Store to use out there updates.

You may also discover the newest dnsmasq bundle right here for guide set up; 2.78 is the accredited model.

For Android merchandise, the October Android safety replace will comprise a repair for these points so make sure that to replace gadgets or instruct your person base to take action as quickly as a software program replace is obtainable.

For routers and IoT gadgets, contact your vendor or go to their web site to find out if their merchandise are affected and in that case whether or not a patch is obtainable and the best way to apply it. Generally this will probably be within the type of a firmware replace which you should utilize to “flash” the machine. Prioritize your schedule in order that internet-connected gadgets are up to date first, adopted by these working solely on native networks.

Also think about using firewall guidelines to segregate site visitors from undesirable subnets or block web entry solely on servers (it has been years since I’ve accessed the web from any server apart from a check system). Manufacturers typically have a “turn everything on for user convenience, to reduce support calls and promote device usage” mindset, so turning off pointless features or companies can be all the time a good suggestion, whatever the working system or machine concerned.

Also see:

Image: iStock/Natali_Mis

Leave a Reply