Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RCE Exploit in Dnsmasq

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 4 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Ajedi32
      last edited by

      Apparently some Google security researchers just discovered a few remote code execution vulnerabilities in Dnsmasq: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

      The vulnerabilities in question:

      • CVE-2017-14491

      • CVE-2017-14492

      • CVE-2017-14493

      • CVE-2017-14494

      • CVE-2017-14495

      • CVE-2017-14496

      • CVE-2017-13704

      According to the author of Dnsmasq (https://twitter.com/SimonRKelley/status/914920396943740929), CVE-2017-14491 could potentially be exploited by a CNAME answer to A/AAAA query, meaning that a user merely accessing a site on the web with a malicious domain name could potentially allow an attacker to gain control of your box. (Though in Dnsmasq >=2.76 that's much more unlikely, as the buffer overflow is restricted to 2 bytes.)

      Is there any bug in the issue tracker or somewhere else I can subscribe to track the progress on this being fixed in pfSense? (pfSense just needs to upgrade to Dnsmasq v2.78.)

      1 Reply Last reply Reply Quote 0
      • luckman212L
        luckman212 LAYER 8
        last edited by

        Well the version with the fixes is 2.78 and that is already on FreshPorts so I expect it won't be too long…
        https://www.freshports.org/dns/dnsmasq/

        1 Reply Last reply Reply Quote 0
        • F
          FranciscoFranco
          last edited by

          I see one of the bugs is ASLR related that should be Linux only so I wonder how many of these affect dnsmasq on FreeBSD and pfSense.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            We're aware, it's why you don't have a 2.4.0-RELEASE right now. We had to stop the release process just before it was set to go live when that announcement happened.

            https://www.netgate.com/blog/no-plan-survives-contact-with-the-internet.html

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • luckman212L
              luckman212 LAYER 8
              last edited by

              Thank you pfSense Team!  ;)

              # dnsmasq --version
              Dnsmasq version 2.78  Copyright (c) 2000-2017 Simon Kelley
              Compile time options: IPv6 GNU-getopt no-DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect no-inotify
              
              # uname -a
              FreeBSD r1.lan 11.1-RELEASE-p1 FreeBSD 11.1-RELEASE-p1 #64 r313908+5a6726eb541(RELENG_2_4): Tue Oct  3 06:27:08 CDT 2017     root@buildbot2.netgate.com:/xbuilder/crossbuild-master/pfSense/tmp/obj/xbuilder/crossbuild-master/pfSense/tmp/FreeBSD-src/sys/pfSense  amd64
              
              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                If you are on 2.3.4-p1 you can fetch an updated dnsmasq as well

                pkg update -y dnsmasq

                That should find the update and install it, afterward you have to restart the dnsmasq service

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.