CVE-2017-15107
published 2018-01-23CVE-2017-15107: A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly…
PriorityP336high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
2.70%
84.0th percentile
A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dnsmasq | < dnsmasq 2.79-1 (bookworm) | dnsmasq 2.79-1 (bookworm) |
| simon_kelley | dnsmasq | — | — |
| thekelleys | dnsmasq | <= 2.78 | — |
| thekelleys | dnsmasq | >= 0 < 2.79-1 | 2.79-1 |
| thekelleys | dnsmasq | >= 0 < 2.79-1 | 2.79-1 |
| thekelleys | dnsmasq | >= 0 < 2.79-1 | 2.79-1 |
| thekelleys | dnsmasq | >= 0 < 2.79-1 | 2.79-1 |
| thekelleys | dnsmasq | >= 0 < 2.75-1ubuntu0.16.04.10 | 2.75-1ubuntu0.16.04.10 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2021-04-22·CVSS 7.5
CVE-2019-14513 [HIGH] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Several security issues were fixed in Dnsmasq.
It was discovered that Dnsmasq incorrectly handled certain wildcard
synthesized NSEC records. A remote attacker could possibly use this issue
to prove the non-existence of hostnames that actually exist.
(CVE-2017-15107)
It was discovered that Dnsmasq incorrectly handled certain large DNS
packets. A remote attacker could possibly use this issue to cause Dnsmasq
to crash, resulting in a denial of service. (CVE-2019-14513)
Instructions: After a standard system update you need to reboot your computer to make all
the necessary changes.
Red Hat
dnsmasq: Improper validation of wildcard synthesized NSEC records
vendor_redhat·2018-01-19·CVSS 7.5
CVE-2017-15107 [HIGH] CWE-358 dnsmasq: Improper validation of wildcard synthesized NSEC records
dnsmasq: Improper validation of wildcard synthesized NSEC records
A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
A vulnerability was found in Dnsmasq's implementation of DNSSEC. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
Statement: Versions of Dnsmasq shipped with Red Hat Enterprise Linux are built without DNSSEC support, so they are not affected by this issue.
Package: dnsmasq (Red Hat Enterprise Linux 5) - Not affected
Package: dnsmasq (Red Hat Enterprise Linux 6) - Not affected
Package: dnsmasq (Red Hat Enterprise Linux 7) - N
Debian
CVE-2017-15107: dnsmasq - A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and i...
vendor_debian·2017·CVSS 7.5
CVE-2017-15107 [HIGH] CVE-2017-15107: dnsmasq - A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and i...
A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
Scope: local
bookworm: resolved (fixed in 2.79-1)
bullseye: resolved (fixed in 2.79-1)
forky: resolved (fixed in 2.79-1)
sid: resolved (fixed in 2.79-1)
trixie: resolved (fixed in 2.79-1)
GHSA
GHSA-f999-2m22-345j: A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2
ghsa_unreviewed·2022-05-13
CVE-2017-15107 [HIGH] GHSA-f999-2m22-345j: A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2
A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
OSV
dnsmasq vulnerabilities
osv·2021-04-22·CVSS 7.5
CVE-2017-15107 [HIGH] dnsmasq vulnerabilities
dnsmasq vulnerabilities
It was discovered that Dnsmasq incorrectly handled certain wildcard
synthesized NSEC records. A remote attacker could possibly use this issue
to prove the non-existence of hostnames that actually exist.
(CVE-2017-15107)
It was discovered that Dnsmasq incorrectly handled certain large DNS
packets. A remote attacker could possibly use this issue to cause Dnsmasq
to crash, resulting in a denial of service. (CVE-2019-14513)
OSV
CVE-2017-15107: A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2
osv·2018-01-23·CVSS 7.5
CVE-2017-15107 [HIGH] CVE-2017-15107: A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2
A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records [fedora-all]
bugzilla·2018-01-22·CVSS 7.5
CVE-2017-15107 [HIGH] CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records [fedora-all]
CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records
bugzilla·2017-11-07·CVSS 7.5
CVE-2017-15107 [HIGH] CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records
CVE-2017-15107 dnsmasq: Improper validation of wildcard synthesized NSEC records
A vulnerability in DNSSEC implementation of Dnsmasq was found. Processing of wildcard synthesized NSEC records may result in improper validation for non-existance in some implementations of DNSSEC. While synthesis of NSEC records is allowed by RFC4592, the synthesized owner names should not be used in the NSEC processing.
Discussion:
Acknowledgments:
Name: Ralph Dolmans (NLnet Labs), Karst Koymans (University of Amsterdam)
---
External References:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6
---
Statement:
Versions of Dnsmasq shipped with Red Hat Enterprise Linux are b
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00027.htmlhttp://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.htmlhttp://www.securityfocus.com/bid/102812http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00027.htmlhttp://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.htmlhttp://www.securityfocus.com/bid/102812
2018-01-23
Published