CVE-2017-14493
published 2017-10-03CVE-2017-14493: Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.64%
99.7th percentile
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dnsmasq | < dnsmasq 2.78-1 (bookworm) | dnsmasq 2.78-1 (bookworm) |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| thekelleys | dnsmasq | <= 2.77 | — |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.68-1ubuntu0.2 | 2.68-1ubuntu0.2 |
| thekelleys | dnsmasq | >= 0 < 2.75-1ubuntu0.16.04.3 | 2.75-1ubuntu0.16.04.3 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
DHCP6RELAYFORW (type byte 0x0c) + transaction ID 0x031337 + 30 bytes padding + Option 79 (OPTION6_CLIENT_MAC) with 74-byte overflow payload + 0x1337DEADBEEF
- →Monitor for DHCPv6 packets (UDP port 547) containing a RELAY-FORW message (type 12 / 0x0c) with Option 79 (OPTION6_CLIENT_MAC) whose declared length exceeds 16 bytes (DHCP_CHADDR_MAX), which triggers the stack buffer overflow in dhcp6_maybe_relay() at rfc3315.c:211. ↗
- →The overflow occurs in dhcp6_maybe_relay() via memcpy at rfc3315.c:211; a WRITE of size 30 into a 176-byte 'state' stack frame object is the crash signature. Look for dnsmasq segfaults or AddressSanitizer stack-buffer-overflow reports referencing this function. ↗
- →The vulnerability is reachable from the local network via a crafted DHCPv6 request; network-level detection should alert on anomalously large OPTION6_CLIENT_MAC (option 79) payloads in DHCPv6 RELAY-FORW messages arriving on UDP/547. ↗
- →Upstream fix is in commit 3d4ff1ba8419546490b464418223132529514033; verify dnsmasq binary version is >= 2.78 to confirm patched state. ↗
- ·The vulnerability only affects dnsmasq builds that include DHCPv6 support. Red Hat Enterprise Linux 5 and 6 ship dnsmasq without the DHCPv6 code and are therefore not affected. ↗
- ·Red Hat OpenStack Platform ships dnsmasq-utils, which does not contain the affected DHCPv6 code paths, but the underlying RHEL dnsmasq RPM must still be patched. ↗
- ·The vulnerable code path is only exercised when dnsmasq is configured with a DHCPv6 range (--dhcp-range with IPv6 addresses); deployments without DHCPv6 enabled are not exposed. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7mpq-366q-m6vq: Stack-based buffer overflow in dnsmasq before 2
ghsa_unreviewed·2022-05-14
CVE-2017-14493 [CRITICAL] CWE-119 GHSA-7mpq-366q-m6vq: Stack-based buffer overflow in dnsmasq before 2
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
OSV
CVE-2017-14493: Stack-based buffer overflow in dnsmasq before 2
osv·2017-10-03·CVSS 9.8
CVE-2017-14493 [CRITICAL] CVE-2017-14493: Stack-based buffer overflow in dnsmasq before 2
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
OSV
dnsmasq vulnerabilities
osv·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] dnsmasq vulnerabilities
dnsmasq vulnerabilities
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
attacker could use this issue to cause Dnsmasq to crash, resulting
Ubuntu
Dnsmasq regression
vendor_ubuntu·2018-01-04·CVSS 9.8
[CRITICAL] Dnsmasq regression
Title: Dnsmasq regression
Summary: USN-3430-2 introduced regression in Dnsmasq.
USN-3430-2 fixed several vulnerabilities. The update introduced a new
regression that breaks DNS resolution. This update addresses the problem.
We apologize for the inconvenience.
Original advisory details:
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2017-10-03·CVSS 9.8
CVE-2017-14491 [CRITICAL] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
USN-3430-1 fixed several vulnerabilities in Dnsmasq. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-20
Red Hat
dnsmasq: stack buffer overflow in the DHCPv6 code
vendor_redhat·2017-10-02·CVSS 9.8
CVE-2017-14493 [CRITICAL] CWE-121 dnsmasq: stack buffer overflow in the DHCPv6 code
dnsmasq: stack buffer overflow in the DHCPv6 code
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code.
Statement: Red Hat OpenStack Platform includes the dnsmasq-utils RPM which does not contain this flaw's affected code-paths; Red Hat OpenStack Platform is therefore listed as not affected.
However, because all versions of Red Hat OpenStack Platform are based on Red Hat Enterprise Linux, all Red Hat OpenStack Platform users should absolutely upgrade the dnsmas
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
at
Debian
CVE-2017-14493: dnsmasq - Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to ca...
vendor_debian·2017·CVSS 9.8
CVE-2017-14493 [CRITICAL] CVE-2017-14493: dnsmasq - Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to ca...
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
Scope: local
bookworm: resolved (fixed in 2.78-1)
bullseye: resolved (fixed in 2.78-1)
forky: resolved (fixed in 2.78-1)
sid: resolved (fixed in 2.78-1)
trixie: resolved (fixed in 2.78-1)
No detection rules found.
Bugzilla
CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
bugzilla·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2017-14493 dnsmasq: stack buffer overflow in the DHCPv6 code
bugzilla·2017-09-26·CVSS 9.8
CVE-2017-14493 [CRITICAL] CVE-2017-14493 dnsmasq: stack buffer overflow in the DHCPv6 code
CVE-2017-14493 dnsmasq: stack buffer overflow in the DHCPv6 code
Red Hat Product Security has been made aware of a stack-based buffer overflow affecting the DHCP implementation of dnsmasq.
Discussion:
Acknowledgments:
Name: Felix Wilhelm (Google Security Team), Fermin J. Serna (Google Security Team), Gabriel Campana (Google Security Team), Kevin Hamacher (Google Security Team), Ron Bowes (Google Security Team)
---
Versions of dnsmasq shipped with Red Hat Enterprise Linux 6 and 5 do not include the DHCPv6 code which includes this flaw.
---
Further details from the 2.78 pre-release CHANGELOG:
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
CVE-2017-14493 applies.
Credit to Felix Wilhel
Trendmicro
Dnsmasq: A Reality Check and Remediation Practices
blogs_trendmicro·2017-10-09
Dnsmasq: A Reality Check and Remediation Practices
IoT
# Dnsmasq: A Reality Check and Remediation Practices
Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.
By: Federico Maggi
2017/10/09
Read time: ( words)
Save to Folio
Updated on October 10, 2017, 7:30 PM PDT to add further Trend Micro solutions.
Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.
Base
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.htmlhttp://nvidia.custhelp.com/app/answers/detail/a_id/4561http://thekelleys.org.uk/dnsmasq/CHANGELOGhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=3d4ff1ba8419546490b464418223132529514033http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txthttp://www.debian.org/security/2017/dsa-3989http://www.securityfocus.com/bid/101085http://www.securitytracker.com/id/1039474http://www.ubuntu.com/usn/USN-3430-1http://www.ubuntu.com/usn/USN-3430-2https://access.redhat.com/errata/RHSA-2017:2836https://access.redhat.com/errata/RHSA-2017:2837https://access.redhat.com/security/vulnerabilities/3199382https://security.gentoo.org/glsa/201710-27https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.htmlhttps://www.exploit-db.com/exploits/42943/https://www.kb.cert.org/vuls/id/973527https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11664.htmlhttps://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11665.htmlhttps://www.synology.com/support/security/Synology_SA_17_59_Dnsmasqhttp://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.htmlhttp://nvidia.custhelp.com/app/answers/detail/a_id/4561http://thekelleys.org.uk/dnsmasq/CHANGELOGhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=3d4ff1ba8419546490b464418223132529514033http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txthttp://www.debian.org/security/2017/dsa-3989http://www.securityfocus.com/bid/101085http://www.securitytracker.com/id/1039474http://www.ubuntu.com/usn/USN-3430-1http://www.ubuntu.com/usn/USN-3430-2https://access.redhat.com/errata/RHSA-2017:2836https://access.redhat.com/errata/RHSA-2017:2837https://access.redhat.com/security/vulnerabilities/3199382https://security.gentoo.org/glsa/201710-27https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.htmlhttps://www.exploit-db.com/exploits/42943/https://www.kb.cert.org/vuls/id/973527https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11664.htmlhttps://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11665.htmlhttps://www.synology.com/support/security/Synology_SA_17_59_Dnsmasq
2017-10-03
Published