RCE Exploit in Dnsmasq
-
Apparently some Google security researchers just discovered a few remote code execution vulnerabilities in Dnsmasq: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
The vulnerabilities in question:
-
CVE-2017-14491
-
CVE-2017-14492
-
CVE-2017-14493
-
CVE-2017-14494
-
CVE-2017-14495
-
CVE-2017-14496
-
CVE-2017-13704
According to the author of Dnsmasq (https://twitter.com/SimonRKelley/status/914920396943740929), CVE-2017-14491 could potentially be exploited by a CNAME answer to A/AAAA query, meaning that a user merely accessing a site on the web with a malicious domain name could potentially allow an attacker to gain control of your box. (Though in Dnsmasq >=2.76 that's much more unlikely, as the buffer overflow is restricted to 2 bytes.)
Is there any bug in the issue tracker or somewhere else I can subscribe to track the progress on this being fixed in pfSense? (pfSense just needs to upgrade to Dnsmasq v2.78.)
-
-
Well the version with the fixes is 2.78 and that is already on FreshPorts so I expect it won't be too longโฆ
https://www.freshports.org/dns/dnsmasq/ -
I see one of the bugs is ASLR related that should be Linux only so I wonder how many of these affect dnsmasq on FreeBSD and pfSense.
-
We're aware, it's why you don't have a 2.4.0-RELEASE right now. We had to stop the release process just before it was set to go live when that announcement happened.
https://www.netgate.com/blog/no-plan-survives-contact-with-the-internet.html
-
Thank you pfSense Team! ;)
# dnsmasq --version Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect no-inotify # uname -a FreeBSD r1.lan 11.1-RELEASE-p1 FreeBSD 11.1-RELEASE-p1 #64 r313908+5a6726eb541(RELENG_2_4): Tue Oct 3 06:27:08 CDT 2017 root@buildbot2.netgate.com:/xbuilder/crossbuild-master/pfSense/tmp/obj/xbuilder/crossbuild-master/pfSense/tmp/FreeBSD-src/sys/pfSense amd64 -
If you are on 2.3.4-p1 you can fetch an updated dnsmasq as well
pkg update -y dnsmasq
That should find the update and install it, afterward you have to restart the dnsmasq service