CVE-2017-14492
published 2017-10-03CVE-2017-14492: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.31%
99.8th percentile
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dnsmasq | < dnsmasq 2.78-1 (bookworm) | dnsmasq 2.78-1 (bookworm) |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| thekelleys | dnsmasq | <= 2.77 | — |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.68-1ubuntu0.2 | 2.68-1ubuntu0.2 |
| thekelleys | dnsmasq | >= 0 < 2.75-1ubuntu0.16.04.3 | 2.75-1ubuntu0.16.04.3 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=24036ea507862c7b7898b68289c8130f85599c10↗
bytes↗
ICMPv6 type=133 (ND_ROUTER_SOLICIT), option type=1 (ICMP6_OPT_SOURCE_MAC), option length=255, payload=255*8 'A' bytes
- →Trigger is an ICMPv6 Router Solicitation (type 133) packet sent to UDP port 547 containing a Source Link-Layer Address option (type 1) with an oversized length field (255), crafted to overflow the heap buffer in dnsmasq's RA handling code (radv.c:icmp6_packet). ↗
- →The overflow occurs in print_mac() called from icmp6_packet() in radv.c at line 201; monitor for dnsmasq crashes (SIGSEGV / heap-buffer-overflow) originating from this call path. ↗
- →Vulnerability is only exploitable when dnsmasq is started with one of the RA-enabling options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless. Audit running dnsmasq configurations for these flags. ↗
- →Attacker must be on the local network segment; monitor local IPv6 segments for anomalous ICMPv6 Router Solicitation packets with unusually large Source Link-Layer Address option lengths (e.g., length field = 255). ↗
- →Affected versions are dnsmasq before 2.78; detect vulnerable deployments by checking the dnsmasq version string in process listings or banners. ↗
- ·The vulnerability is only present when dnsmasq is configured with IPv6 Router Advertisement support. Instances without any of the RA-enabling flags are not affected. ↗
- ·Red Hat Enterprise Linux 5 and 6 ship dnsmasq versions that do not include the IPv6 Router Advertisement code and are therefore not affected. ↗
- ·The dnsmasq-utils RPM included in Red Hat OpenStack Platform does not contain the affected code paths and is not vulnerable; however, the underlying dnsmasq RPM from RHEL should still be patched. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6wc4-q6rh-cfvh: Heap-based buffer overflow in dnsmasq before 2
ghsa_unreviewed·2022-05-14
CVE-2017-14492 [CRITICAL] CWE-119 GHSA-6wc4-q6rh-cfvh: Heap-based buffer overflow in dnsmasq before 2
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.
OSV
CVE-2017-14492: Heap-based buffer overflow in dnsmasq before 2
osv·2017-10-03·CVSS 9.8
CVE-2017-14492 [CRITICAL] CVE-2017-14492: Heap-based buffer overflow in dnsmasq before 2
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.
OSV
dnsmasq vulnerabilities
osv·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] dnsmasq vulnerabilities
dnsmasq vulnerabilities
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
attacker could use this issue to cause Dnsmasq to crash, resulting
Ubuntu
Dnsmasq regression
vendor_ubuntu·2018-01-04·CVSS 9.8
[CRITICAL] Dnsmasq regression
Title: Dnsmasq regression
Summary: USN-3430-2 introduced regression in Dnsmasq.
USN-3430-2 fixed several vulnerabilities. The update introduced a new
regression that breaks DNS resolution. This update addresses the problem.
We apologize for the inconvenience.
Original advisory details:
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2017-10-03·CVSS 9.8
CVE-2017-14491 [CRITICAL] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
USN-3430-1 fixed several vulnerabilities in Dnsmasq. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-20
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
at
Red Hat
dnsmasq: heap overflow in the IPv6 router advertisement code
vendor_redhat·2017-10-02·CVSS 9.8
CVE-2017-14492 [CRITICAL] CWE-122 dnsmasq: heap overflow in the IPv6 router advertisement code
dnsmasq: heap overflow in the IPv6 router advertisement code
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.
A heap buffer overflow was discovered in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless.
Statement: Red Hat OpenStack Platform includes the dnsmasq-utils RPM which does not contain this flaw's affected code-paths; Red Hat OpenStack Platform is therefore l
Debian
CVE-2017-14492: dnsmasq - Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cau...
vendor_debian·2017·CVSS 9.8
CVE-2017-14492 [CRITICAL] CVE-2017-14492: dnsmasq - Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cau...
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.
Scope: local
bookworm: resolved (fixed in 2.78-1)
bullseye: resolved (fixed in 2.78-1)
forky: resolved (fixed in 2.78-1)
sid: resolved (fixed in 2.78-1)
trixie: resolved (fixed in 2.78-1)
No detection rules found.
Bugzilla
CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
bugzilla·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2017-14492 dnsmasq: heap overflow in the IPv6 router advertisement code
bugzilla·2017-09-26·CVSS 9.8
CVE-2017-14492 [CRITICAL] CVE-2017-14492 dnsmasq: heap overflow in the IPv6 router advertisement code
CVE-2017-14492 dnsmasq: heap overflow in the IPv6 router advertisement code
Red Hat Product Security has been made aware of a heap-based buffer overflow affecting the DHCP implementation of dnsmasq.
Discussion:
Acknowledgments:
Name: Felix Wilhelm (Google Security Team), Fermin J. Serna (Google Security Team), Gabriel Campana (Google Security Team), Kevin Hamacher (Google Security Team), Ron Bowes (Google Security Team)
---
Versions of dnsmasq shipped with Red Hat Enterprise Linux 6 and 5 do not include the IPv6 Router Advertisement code which includes this flaw.
---
Further details from the 2.78 pre-release CHANGELOG:
Fix heap overflow in IPv6 router advertisement code.
This is a potentially serious security hole, as a
crafted RA request can overflow a buffer and crash or
control
Trendmicro
Dnsmasq: A Reality Check and Remediation Practices
blogs_trendmicro·2017-10-09
Dnsmasq: A Reality Check and Remediation Practices
IoT
# Dnsmasq: A Reality Check and Remediation Practices
Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.
By: Federico Maggi
2017/10/09
Read time: ( words)
Save to Folio
Updated on October 10, 2017, 7:30 PM PDT to add further Trend Micro solutions.
Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.
Base
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.htmlhttp://nvidia.custhelp.com/app/answers/detail/a_id/4561http://thekelleys.org.uk/dnsmasq/CHANGELOGhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=24036ea507862c7b7898b68289c8130f85599c10http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txthttp://www.debian.org/security/2017/dsa-3989http://www.securityfocus.com/bid/101085http://www.securitytracker.com/id/1039474http://www.ubuntu.com/usn/USN-3430-1http://www.ubuntu.com/usn/USN-3430-2https://access.redhat.com/errata/RHSA-2017:2836https://access.redhat.com/errata/RHSA-2017:2837https://access.redhat.com/security/vulnerabilities/3199382https://security.gentoo.org/glsa/201710-27https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.htmlhttps://www.exploit-db.com/exploits/42942/https://www.kb.cert.org/vuls/id/973527https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11664.htmlhttps://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11665.htmlhttps://www.synology.com/support/security/Synology_SA_17_59_Dnsmasqhttp://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.htmlhttp://nvidia.custhelp.com/app/answers/detail/a_id/4561http://thekelleys.org.uk/dnsmasq/CHANGELOGhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=24036ea507862c7b7898b68289c8130f85599c10http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txthttp://www.debian.org/security/2017/dsa-3989http://www.securityfocus.com/bid/101085http://www.securitytracker.com/id/1039474http://www.ubuntu.com/usn/USN-3430-1http://www.ubuntu.com/usn/USN-3430-2https://access.redhat.com/errata/RHSA-2017:2836https://access.redhat.com/errata/RHSA-2017:2837https://access.redhat.com/security/vulnerabilities/3199382https://security.gentoo.org/glsa/201710-27https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.htmlhttps://www.exploit-db.com/exploits/42942/https://www.kb.cert.org/vuls/id/973527https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11664.htmlhttps://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11665.htmlhttps://www.synology.com/support/security/Synology_SA_17_59_Dnsmasq
2017-10-03
Published