cbcvebase.
CVE-2017-14495
published 2017-10-03

CVE-2017-14495: Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service…

PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
84.32%
99.7th percentile
Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.

Affected

17 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiandnsmasq< dnsmasq 2.78-1 (bookworm)dnsmasq 2.78-1 (bookworm)
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation
thekelleysdnsmasq<= 2.77
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.78-12.78-1
thekelleysdnsmasq>= 0 < 2.68-1ubuntu0.22.68-1ubuntu0.2
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.32.75-1ubuntu0.16.04.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=51eadb692a5123b9838e5a68ecace3ac579a3a45
urlhttps://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq
bytes
01 0d 08 1b 00 01 00 00 00 00 00 02 00 00 29 04 00 00 29 00 00 00 03 00 00 01 13 00 08 01 13 79 00 00 00 00 00
  • The vulnerability is only triggerable when dnsmasq is configured with one of the options: --add-mac, --add-cpe-id, or --add-subnet. Detection/triage should confirm these options are active before treating the service as exposed.
  • The exploit sends a crafted DNS packet in a tight loop over UDP to the target. Monitor for high-rate UDP DNS traffic to port 53 from a single source combined with rapid memory growth in the dnsmasq process.
  • The exploit payload replaces the byte sequence \x00\x01\x13\x00 with \x7f\x00\x00\x01 (127.0.0.1) in the crafted DNS packet. This specific byte pattern substitution can be used as a network signature anchor.
  • ·The vulnerability only affects dnsmasq versions 2.76 and 2.77 (introduced in 2.76, fixed in 2.78). Versions shipped with RHEL 5 and 6 do not include the vulnerable EDNS0 code and are not affected.
  • ·The vulnerability is only exploitable when at least one of the following dnsmasq options is enabled: --add-mac, --add-cpe-id, or --add-subnet. Deployments without these options are not vulnerable.
  • ·Red Hat OpenStack Platform ships dnsmasq-utils which does not contain the affected code paths and is not vulnerable, but the underlying RHEL dnsmasq package on the same host may still be affected.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.