cbcvebase.
CVE-2017-14492
published 2017-10-03

CVE-2017-14492: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.31%
99.8th percentile
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.

Affected

17 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiandnsmasq< dnsmasq 2.78-1 (bookworm)dnsmasq 2.78-1 (bookworm)
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation
thekelleysdnsmasq<= 2.77
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.68-1ubuntu0.22.68-1ubuntu0.2
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.32.75-1ubuntu0.16.04.3

Detection & IOCsextracted from sources · hover to see the quote

port547
urlhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=24036ea507862c7b7898b68289c8130f85599c10
urlhttps://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq
bytes
ICMPv6 type=133 (ND_ROUTER_SOLICIT), option type=1 (ICMP6_OPT_SOURCE_MAC), option length=255, payload=255*8 'A' bytes
  • Trigger is an ICMPv6 Router Solicitation (type 133) packet sent to UDP port 547 containing a Source Link-Layer Address option (type 1) with an oversized length field (255), crafted to overflow the heap buffer in dnsmasq's RA handling code (radv.c:icmp6_packet).
  • The overflow occurs in print_mac() called from icmp6_packet() in radv.c at line 201; monitor for dnsmasq crashes (SIGSEGV / heap-buffer-overflow) originating from this call path.
  • Vulnerability is only exploitable when dnsmasq is started with one of the RA-enabling options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless. Audit running dnsmasq configurations for these flags.
  • Attacker must be on the local network segment; monitor local IPv6 segments for anomalous ICMPv6 Router Solicitation packets with unusually large Source Link-Layer Address option lengths (e.g., length field = 255).
  • Affected versions are dnsmasq before 2.78; detect vulnerable deployments by checking the dnsmasq version string in process listings or banners.
  • ·The vulnerability is only present when dnsmasq is configured with IPv6 Router Advertisement support. Instances without any of the RA-enabling flags are not affected.
  • ·Red Hat Enterprise Linux 5 and 6 ship dnsmasq versions that do not include the IPv6 Router Advertisement code and are therefore not affected.
  • ·The dnsmasq-utils RPM included in Red Hat OpenStack Platform does not contain the affected code paths and is not vulnerable; however, the underlying dnsmasq RPM from RHEL should still be patched.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.