CVE-2017-14495
published 2017-10-03CVE-2017-14495: Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service…
PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
84.32%
99.7th percentile
Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dnsmasq | < dnsmasq 2.78-1 (bookworm) | dnsmasq 2.78-1 (bookworm) |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| thekelleys | dnsmasq | <= 2.77 | — |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.78-1 | 2.78-1 |
| thekelleys | dnsmasq | >= 0 < 2.68-1ubuntu0.2 | 2.68-1ubuntu0.2 |
| thekelleys | dnsmasq | >= 0 < 2.75-1ubuntu0.16.04.3 | 2.75-1ubuntu0.16.04.3 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=51eadb692a5123b9838e5a68ecace3ac579a3a45↗
bytes↗
01 0d 08 1b 00 01 00 00 00 00 00 02 00 00 29 04 00 00 29 00 00 00 03 00 00 01 13 00 08 01 13 79 00 00 00 00 00
- →The vulnerability is only triggerable when dnsmasq is configured with one of the options: --add-mac, --add-cpe-id, or --add-subnet. Detection/triage should confirm these options are active before treating the service as exposed. ↗
- →The exploit sends a crafted DNS packet in a tight loop over UDP to the target. Monitor for high-rate UDP DNS traffic to port 53 from a single source combined with rapid memory growth in the dnsmasq process. ↗
- →The exploit payload replaces the byte sequence \x00\x01\x13\x00 with \x7f\x00\x00\x01 (127.0.0.1) in the crafted DNS packet. This specific byte pattern substitution can be used as a network signature anchor. ↗
- ·The vulnerability only affects dnsmasq versions 2.76 and 2.77 (introduced in 2.76, fixed in 2.78). Versions shipped with RHEL 5 and 6 do not include the vulnerable EDNS0 code and are not affected. ↗
- ·The vulnerability is only exploitable when at least one of the following dnsmasq options is enabled: --add-mac, --add-cpe-id, or --add-subnet. Deployments without these options are not vulnerable. ↗
- ·Red Hat OpenStack Platform ships dnsmasq-utils which does not contain the affected code paths and is not vulnerable, but the underlying RHEL dnsmasq package on the same host may still be affected. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rcfc-xq5g-7phm: Memory leak in dnsmasq before 2
ghsa_unreviewed·2022-05-13
CVE-2017-14495 [HIGH] CWE-772 GHSA-rcfc-xq5g-7phm: Memory leak in dnsmasq before 2
Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.
OSV
CVE-2017-14495: Memory leak in dnsmasq before 2
osv·2017-10-03·CVSS 7.5
CVE-2017-14495 [HIGH] CVE-2017-14495: Memory leak in dnsmasq before 2
Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.
OSV
dnsmasq vulnerabilities
osv·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] dnsmasq vulnerabilities
dnsmasq vulnerabilities
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
attacker could use this issue to cause Dnsmasq to crash, resulting
CISA ICS
Siemens SCALANCE W1750D, M800, S615, and RUGGEDCOM RM1224 (Update C)
cisa_ics·2018-05-10·CVSS 7.5
[HIGH] Siemens SCALANCE W1750D, M800, S615, and RUGGEDCOM RM1224 (Update C)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE W1750D, M800, S615, and RUGGEDCOM RM1224 (Update C)
Last RevisedOctober 13, 2020
Alert CodeICSA-17-332-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.1
- ATTENTION: Exploitable remotely/low skill level to exploit.
- Vendor: Siemens
--------- Begin Update C Part 1 of 3 --------
- Equipment: SCALANCE W1750D, M800, S615, and RUGGEDCOM RM1224
--------- End Update C Part 1 of 3 --------
- Vulnerabilities: Resource Exhaustion, Improper Restriction of Operations within the Bounds of a Memory Buffer
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the up
Ubuntu
Dnsmasq regression
vendor_ubuntu·2018-01-04·CVSS 9.8
[CRITICAL] Dnsmasq regression
Title: Dnsmasq regression
Summary: USN-3430-2 introduced regression in Dnsmasq.
USN-3430-2 fixed several vulnerabilities. The update introduced a new
regression that breaks DNS resolution. This update addresses the problem.
We apologize for the inconvenience.
Original advisory details:
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2017-10-03·CVSS 9.8
CVE-2017-14491 [CRITICAL] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
USN-3430-1 fixed several vulnerabilities in Dnsmasq. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-20
Red Hat
dnsmasq: memory exhaustion vulnerability in the EDNS0 code
vendor_redhat·2017-10-02·CVSS 7.5
CVE-2017-14495 [HIGH] CWE-400 dnsmasq: memory exhaustion vulnerability in the EDNS0 code
dnsmasq: memory exhaustion vulnerability in the EDNS0 code
Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.
A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.
Statement: Red Hat OpenStack Platform includes the dnsmasq-utils RPM which does not contain this flaw's affected code-paths; Red Hat OpenStack Platform is therefore listed
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)
Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
at
Debian
CVE-2017-14495: dnsmasq - Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-su...
vendor_debian·2017·CVSS 7.5
CVE-2017-14495 [HIGH] CVE-2017-14495: dnsmasq - Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-su...
Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.
Scope: local
bookworm: resolved (fixed in 2.78-1)
bullseye: resolved (fixed in 2.78-1)
forky: resolved (fixed in 2.78-1)
sid: resolved (fixed in 2.78-1)
trixie: resolved (fixed in 2.78-1)
No detection rules found.
Bugzilla
CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
bugzilla·2017-10-02·CVSS 9.8
CVE-2017-14491 [CRITICAL] CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 dnsmasq: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2017-14495 dnsmasq: memory exhaustion vulnerability in the EDNS0 code
bugzilla·2017-09-26·CVSS 7.5
CVE-2017-14495 [HIGH] CVE-2017-14495 dnsmasq: memory exhaustion vulnerability in the EDNS0 code
CVE-2017-14495 dnsmasq: memory exhaustion vulnerability in the EDNS0 code
Red Hat Product Security has been made aware of an Denial of Service vulnerability affecting the DNS implementation of dnsmasq.
Discussion:
Acknowledgments:
Name: Felix Wilhelm (Google Security Team), Fermin J. Serna (Google Security Team), Gabriel Campana (Google Security Team), Kevin Hamacher (Google Security Team), Ron Bowes (Google Security Team)
---
Versions of dnsmasq shipped with Red Hat Enterprise Linux 6 and 5 do not include the EDNS0 code which includes this flaw.
---
Further details from the 2.78 pre-release CHANGELOG:
Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory
Trendmicro
Dnsmasq: A Reality Check and Remediation Practices
blogs_trendmicro·2017-10-09
Dnsmasq: A Reality Check and Remediation Practices
IoT
# Dnsmasq: A Reality Check and Remediation Practices
Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.
By: Federico Maggi
2017/10/09
Read time: ( words)
Save to Folio
Updated on October 10, 2017, 7:30 PM PDT to add further Trend Micro solutions.
Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.
Base
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.htmlhttp://nvidia.custhelp.com/app/answers/detail/a_id/4561http://thekelleys.org.uk/dnsmasq/CHANGELOGhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=51eadb692a5123b9838e5a68ecace3ac579a3a45http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txthttp://www.debian.org/security/2017/dsa-3989http://www.securityfocus.com/bid/101085http://www.securityfocus.com/bid/101977http://www.securitytracker.com/id/1039474http://www.ubuntu.com/usn/USN-3430-1http://www.ubuntu.com/usn/USN-3430-2https://access.redhat.com/errata/RHSA-2017:2836https://access.redhat.com/security/vulnerabilities/3199382https://cert-portal.siemens.com/productcert/pdf/ssa-689071.pdfhttps://security.gentoo.org/glsa/201710-27https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.htmlhttps://www.exploit-db.com/exploits/42945/https://www.kb.cert.org/vuls/id/973527https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11664.htmlhttps://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11665.htmlhttps://www.synology.com/support/security/Synology_SA_17_59_Dnsmasqhttp://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.htmlhttp://nvidia.custhelp.com/app/answers/detail/a_id/4561http://thekelleys.org.uk/dnsmasq/CHANGELOGhttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=51eadb692a5123b9838e5a68ecace3ac579a3a45http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txthttp://www.debian.org/security/2017/dsa-3989http://www.securityfocus.com/bid/101085http://www.securityfocus.com/bid/101977http://www.securitytracker.com/id/1039474http://www.ubuntu.com/usn/USN-3430-1http://www.ubuntu.com/usn/USN-3430-2https://access.redhat.com/errata/RHSA-2017:2836https://access.redhat.com/security/vulnerabilities/3199382https://cert-portal.siemens.com/productcert/pdf/ssa-689071.pdfhttps://security.gentoo.org/glsa/201710-27https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.htmlhttps://www.exploit-db.com/exploits/42945/https://www.kb.cert.org/vuls/id/973527https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11664.htmlhttps://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11665.htmlhttps://www.synology.com/support/security/Synology_SA_17_59_Dnsmasq
2017-10-03
Published