Seven flaws in what is known as Dnsmasq can be exploited by attackers who can use the bugs to carry out remote code execution, information exposure or a denial of service attacks against affected devices.
Google researchers identified the flaws in a research paper published Monday, the same day a patch for affected hardware arrived. Google also published proof-of-concept code to demonstrate the flaws and is urging hardware vendors to deploy patches as soon as possible.
Dnsmasq is open-source software that can be found in Android OS and Mac OS X. It’s also included in popular desktop Linux distributions including FreeBSD, OpenBSD and NetBSD, and in home routers, IoT devices and for tethering of smartphones and portable hotspots, said Google. “During our review, the team found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017,” wrote researchers behind the Google Security Blog.
The Dnsmasq software package acts as a local domain name system (DNS) helping devices identify other devices and route traffic within small networks. “(Dnsmasq) is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls,” the maintainer of Dnsmasq, Simon Kelley, said.
On Monday, Kelley announced a fix for the vulnerability that includes upgrading to Dnsmasq version 2.78. All versions of Dnsmasq 2.77 and prior contain the multiple vulnerabilities. “I’ve just released dnsmasq-2.78, which addresses a series of serious security vulnerabilities,” Kelley said. “Some of these, including the most serious, have been in Dnsmasq since prehistoric times, and have remained undetected through multiple previous security audits.”
According to Google, its Android partners have or will receive a patch as part of the October Android security update released Wednesday. Google said the Dnsmasq vulnerabilities can be triggered remotely via DNS and dynamic host configuration protocol (DHCP) that could lead to the remote code execution, information exposure and denial of service conditions.
DNS attacks can be problematic for companies ill equipped to mitigate against them, a survey of firms said last month. “Despite heightened DDoS attacks, many companies have inadequate defenses when it comes to DNS security,” the study, carried out by security firm Infoblox said.. The study found one-third of “professionals” surveyed doubt their company can defend against a DNS attack.
In the case of Dnsmasq, the three remote code execution vulnerabilities (CVE-2017-14491, CVE-2017-14492 and CVE-2017-14493) are tied to heap buffer overflow and stack buffer overflow errors through DHCP and DNS. Another three vulnerabilities (CVE-2017-14495, CVE-2017-14496 and CVE-2017-13704) are denial of service bugs caused by invalid boundary checks, bug collisions and memory leakage.
The bug for the information leak (CVE-2017-14494) can be exploited to bypass the address space layout randomization (ASLR) memory protection function and allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests, according to the Common Vulnerabilities and Exposures (CVE) description.