cbcvebase.
CVE-2017-14493
published 2017-10-03

CVE-2017-14493: Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6…

PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.64%
99.7th percentile
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.

Affected

19 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiandnsmasq< dnsmasq 2.78-1 (bookworm)dnsmasq 2.78-1 (bookworm)
opensuseleap
opensuseleap
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation
thekelleysdnsmasq<= 2.77
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.68-1ubuntu0.22.68-1ubuntu0.2
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.32.75-1ubuntu0.16.04.3

Detection & IOCsextracted from sources · hover to see the quote

port547/udp (DHCPv6)
commanddnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff
bytes
DHCP6RELAYFORW (type byte 0x0c) + transaction ID 0x031337 + 30 bytes padding + Option 79 (OPTION6_CLIENT_MAC) with 74-byte overflow payload + 0x1337DEADBEEF
  • Monitor for DHCPv6 packets (UDP port 547) containing a RELAY-FORW message (type 12 / 0x0c) with Option 79 (OPTION6_CLIENT_MAC) whose declared length exceeds 16 bytes (DHCP_CHADDR_MAX), which triggers the stack buffer overflow in dhcp6_maybe_relay() at rfc3315.c:211.
  • The overflow occurs in dhcp6_maybe_relay() via memcpy at rfc3315.c:211; a WRITE of size 30 into a 176-byte 'state' stack frame object is the crash signature. Look for dnsmasq segfaults or AddressSanitizer stack-buffer-overflow reports referencing this function.
  • The vulnerability is reachable from the local network via a crafted DHCPv6 request; network-level detection should alert on anomalously large OPTION6_CLIENT_MAC (option 79) payloads in DHCPv6 RELAY-FORW messages arriving on UDP/547.
  • Upstream fix is in commit 3d4ff1ba8419546490b464418223132529514033; verify dnsmasq binary version is >= 2.78 to confirm patched state.
  • ·The vulnerability only affects dnsmasq builds that include DHCPv6 support. Red Hat Enterprise Linux 5 and 6 ship dnsmasq without the DHCPv6 code and are therefore not affected.
  • ·Red Hat OpenStack Platform ships dnsmasq-utils, which does not contain the affected DHCPv6 code paths, but the underlying RHEL dnsmasq RPM must still be patched.
  • ·The vulnerable code path is only exercised when dnsmasq is configured with a DHCPv6 range (--dhcp-range with IPv6 addresses); deployments without DHCPv6 enabled are not exposed.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.