Organizations, including several major tech companies, have started publishing security advisories to warn customers about serious vulnerabilities discovered by Google researchers in the Dnsmasq network services software.
Dnsmasq is a lightweight tool designed to provide DNS, DHCP, router advertisement and network boot services for small networks. The tool is used by many organizations, including in Linux distributions, networking devices, smartphones, cybersecurity appliances, and Internet of Things (IoT) devices. A scan for “Dnsmasq” via the Internet search engine Shodan reveals over 1.1 million instances worldwide.
Members of Google’s security team discovered recently that Dnsmasq is affected by seven potentially serious vulnerabilities. The flaws can be exploited via DNS or DHCP for remote code execution (CVE-2017-14491, CVE-2017-14492 and CVE-2017-14493), information leaks (CVE-2017-14494), and denial-of-service (DoS) attacks (CVE-2017-14495, CVE-2017-14496 and CVE-2017-13704).
The most critical vulnerability is CVE-2017-14491, a DNS-based remote code execution issue that affects both directly exposed and internal networks.
Simon Kelley, the creator and maintainer of Dnsmasq, released version 2.78 to address the vulnerabilities. This month’s security updates for Android also fix the flaws.
Some of the companies whose products use Dnsmasq have started releasing advisories to inform customers about the flaws and the availability of patches and mitigations. Kelley said some organizations received the information in advance, before the existence of the security holes was made public.
The CERT Coordination Center at Carnegie Mellon University has published a list of 99 vendors that could be affected by the Dnsmasq vulnerabilities, and some of them have confirmed that their products are impacted.
The developers of Linux distributions such as Debian, Red Hat, CentOS, Slackware and Ubuntu have already released patches.
Updates and advisories have also been made available by the creators of Kubernetes, an open-source platform for automating the deployment, scaling and management of containerized applications. Kubernetes is used, among others, by CoreOS, which has also released updates for impacted products.
Amazon Web Services (AWS) customers can use Dnsmasq to resolve hostname queries and the cloud giant has advised them to update the dnsmasq package to prevent potential attacks.
Cisco has also published an advisory, but it has not specified if any of its products are affected. The networking giant has — at least at some point — used Dnsmasq in its own products.
Software-driven cloud networking solutions provider Arista informed customers that its EOS and Cloud Vision Portal products are exposed to remote attacks exploiting CVE-2017-14491. The company has started releasing patches.
Network-attached storage (NAS) solutions provider Synology told customers that its Synology DiskStation Manager (DSM) and Synology Router Manager (SRM) products are affected. The company is working on releasing patches.
Security firm Sophos pointed out that most wireless routers and small footprint devices (i.e. IoT devices) are impacted by the flaws due to the fact that Dnsmasq is a default component in OpenWRT, a popular open source distribution for embedded devices.
Sophos’ own RED devices and cloud-managed access points are vulnerable to attacks. Patches will be made available soon.