Behind the Masq: Yet more DNS, and DHCP, vulnerabilities
By Google's Fermin J. Serna, Staff Software Engineer, Matt
Linton, Senior Security Engineer and Kevin Stadmeyer, Technical
October 3, 2017
has previously posted about
DNS vulnerabilities and
Lately, we’ve been busy reviewing the security of another DNS
We are writing this to disclose the issues we found and to publicize
the patches in an effort to increase their uptake.
Dnsmasq provides functionality for serving DNS, DHCP, router
advertisements and network boot. This software is commonly installed
in systems as varied as desktop Linux distributions (like Ubuntu),
home routers, and IoT devices. Dnsmasq is widely used both on the
and internally in private networks.
We discovered seven distinct issues (listed below) over the course
of our regular internal security assessments. Once we determined the
severity of these issues, we worked to investigate their impact and
exploitability and then produced internal proofs of concept for each
of them. We also worked with the maintainer of Dnsmasq, Simon
Kelley, to produce appropriate patches and mitigate the issue.
These patches have been upstreamed and are now committed to the
project’s git repository.
In addition to these patches we have also submitted another patch
which will run Dnsmasq under
to allow for additional sandboxing. This patch has been submitted to
the DNSmasq project for review and we have also made it available
for those who wish to integrate it into an existing install (after
testing, of course!). We believe the adoption of this patch will
increase the security of DNSMasq installations.
We would like to thank Simon Kelley for his help in patching these
bugs in the core Dnsmasq codebase. Users who have deployed the
of Dnsmasq (2.78) will be protected from the attacks discovered
here. Android partners have received this patch as well and it will
be included in Android's monthly security update for October.
Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been
released with a patched DNS pod. Other affected Google services have
During our review, the team found three potential remote code
executions, one information leak, and three denial of service
vulnerabilities affecting the latest version at the project git
server as of September 5th 2017.
It is worth expanding on some of these:
AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at
pc 0x0000005105e7 bp 0x7fff6165b9b0 sp0x7fff6165b9a8
is a DNS-based vulnerability that affects both directly exposed
and internal network setups. Although the latest git version
only allows a 2-byte overflow, this could be exploited based on
previous research. Before version 2.76 and this commit the
overflow is unrestricted.
WRITE of size 1 at
0x62200001dd0b thread T0
#0 0x5105e6 in
#1 0x5127c8 in
#2 0x534578 in
#3 0x548486 in
#4 0x5448b6 in
in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in
CVE-2017-14493 is a trivial-to-exploit DHCP-based,
stack-based buffer overflow vulnerability. In
combination with CVE-2017-14494 acting as an info leak,
an attacker could bypass ASLR and gain remote code
dnsmasq: segfault at 1337deadbeef ip
00001337deadbeef sp 00007fff1b66fd10 error 14 in
- Android is
affected by CVE-2017-14496 when the attacker is local or
tethered directly to the device—the service itself is
sandboxed so the risk is reduced. Android partners received
patches on 5 September 2017 and devices with a
security patch level or
later address this issue.
concept are provided so you can check if you are affected by
these issues, and verify any mitigations you may deploy.
We would like to
thank the following people for discovering, investigating
impact/exploitability and developing PoCs: Felix Wilhelm, Fermin
J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael
Coldwind of the Google Security Team.