Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Google Finds Flaws in Dnsmasq Network Services Tool

Google employees have identified a total of seven vulnerabilities, including ones that allow remote code execution, in the Dnsmasq network services software.

Google employees have identified a total of seven vulnerabilities, including ones that allow remote code execution, in the Dnsmasq network services software.

Written and maintained by Simon Kelley, Dnsmasq is a lightweight tool designed to provide DNS, DHCP, router advertisement and network boot services for small networks. Dnsmasq is used by Linux distributions, routers, smartphones and many Internet of Things (IoT) devices. A scan for “Dnsmasq” using the Internet search engine Shodan reveals over 1.1 million instances worldwide.

An analysis of Dnsmasq conducted by Google’s security team revealed seven issues, including remote code execution, information disclosure, and denial-of-service (DoS) flaws that can be exploited via DNS or DHCP.

One of the most interesting vulnerabilities found by Google researchers is CVE-2017-14491, a DNS-based remote code execution weakness that affects both directly exposed and internal networks.

Another noteworthy remote code execution bug is CVE-2017-14493, a DHCP-based issue caused by a stack buffer overflow. Experts noted that this flaw can be combined with a Dnsmasq information disclosure bug tracked as CVE-2017-14494 to bypass ASLR and execute arbitrary code.

One security hole that affects Android is CVE-2017-14496, a DoS issue that can be exploited by a local attacker or one who is tethered directly to the device. However, Google pointed out that the risk is low considering that the affected service is sandboxed.

Advertisement. Scroll to continue reading.

The other vulnerabilities are CVE-2017-14492, a DHCP-based heap overflow that leads to RCE; and CVE-2017-14495 and CVE-2017-13704, both of which allow DoS attacks via DNS.

The Google Security Team has released proof-of-concept (PoC) code for each of the vulnerabilities.

The flaws have been addressed on Monday with the release of Dnsmasq 2.78. Google has also updated its affected services and provided the fixes to Android partners. This month’s Android security updates will also include the patches.

Related: Google Patches Critical Vulnerabilities in Android

Related: Google Resolves Critical Vulnerabilities in Android’s Media Framework

Related: Google Researchers Find “Worst” Windows RCE Flaw

Related: Google Researcher Details Linux Kernel Exploit

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.