RCE Exploit in Dnsmasq

Ajedi32 · Oct 2, 2017, 7:35 PM

Apparently some Google security researchers just discovered a few remote code execution vulnerabilities in Dnsmasq: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

The vulnerabilities in question:

CVE-2017-14491
CVE-2017-14492
CVE-2017-14493
CVE-2017-14494
CVE-2017-14495
CVE-2017-14496
CVE-2017-13704

According to the author of Dnsmasq (https://twitter.com/SimonRKelley/status/914920396943740929), CVE-2017-14491 could potentially be exploited by a CNAME answer to A/AAAA query, meaning that a user merely accessing a site on the web with a malicious domain name could potentially allow an attacker to gain control of your box. (Though in Dnsmasq >=2.76 that's much more unlikely, as the buffer overflow is restricted to 2 bytes.)

Is there any bug in the issue tracker or somewhere else I can subscribe to track the progress on this being fixed in pfSense? (pfSense just needs to upgrade to Dnsmasq v2.78.)

luckman212 · Oct 2, 2017, 11:41 PM

Well the version with the fixes is 2.78 and that is already on FreshPorts so I expect it won't be too long…
https://www.freshports.org/dns/dnsmasq/

FranciscoFranco · Oct 3, 2017, 4:59 PM

I see one of the bugs is ASLR related that should be Linux only so I wonder how many of these affect dnsmasq on FreeBSD and pfSense.

jimp · Oct 3, 2017, 8:01 PM

We're aware, it's why you don't have a 2.4.0-RELEASE right now. We had to stop the release process just before it was set to go live when that announcement happened.

https://www.netgate.com/blog/no-plan-survives-contact-with-the-internet.html

luckman212 · Oct 3, 2017, 9:23 PM

Thank you pfSense Team! ;)

# dnsmasq --version
Dnsmasq version 2.78  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect no-inotify

# uname -a
FreeBSD r1.lan 11.1-RELEASE-p1 FreeBSD 11.1-RELEASE-p1 #64 r313908+5a6726eb541(RELENG_2_4): Tue Oct  3 06:27:08 CDT 2017     root@buildbot2.netgate.com:/xbuilder/crossbuild-master/pfSense/tmp/obj/xbuilder/crossbuild-master/pfSense/tmp/FreeBSD-src/sys/pfSense  amd64

jimp · Oct 4, 2017, 5:34 PM

If you are on 2.3.4-p1 you can fetch an updated dnsmasq as well

pkg update -y dnsmasq

That should find the update and install it, afterward you have to restart the dnsmasq service