The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Dnsmasq

vulnerability CVE-2017-15107

Dnsmasq: denial of service via NSEC

Synthesis of the vulnerability

An attacker can make Dnsmasq declare that a domain does not exist, because of an error in the signature check step, in order to trigger a denial of service.
Impacted products: Dnsmasq, Fedora.
Severity: 1/4.
Creation date: 22/01/2018.
Identifiers: CVE-2017-15107, FEDORA-2018-9780220f7d, FEDORA-2018-fbe4017846, VIGILANCE-VUL-25130.

Description of the vulnerability

An attacker can make Dnsmasq declare that a domain does not exist, because of an error in the signature check step, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2015-8899

Dnsmasq: denial of service via requests for type AAAA

Synthesis of the vulnerability

An attacker can send a request for an IPv6 address to Dnsmasq, in order to trigger a denial of service.
Impacted products: Dnsmasq, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 06/06/2016.
Identifiers: CVE-2015-8899, FEDORA-2016-6db1c9eb69, FEDORA-2016-da2f9c22b4, openSUSE-SU-2017:0016-1, SUSE-SU-2016:3199-1, SUSE-SU-2016:3269-1, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, USN-3009-1, VIGILANCE-VUL-19799.

Description of the vulnerability

The Dnsmasq product includes a DNS cache server.

However, when the server receives a request for an IPv6 address and that the /etc/hosts file includes an IPv6 address but not an IPv4 one; the record of the external server answer triggers a fatal error and then a server crash.

An attacker can therefore send a request for an IPv6 address to Dnsmasq, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2015-3294

Dnsmasq: information disclosure via tcp_request

Synthesis of the vulnerability

A local attacker can read a memory fragment of Dnsmasq, in order to obtain sensitive information; and maybe make the server halt.
Impacted products: Arkoon FAST360, Debian, Dnsmasq, openSUSE, Solaris, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 17/04/2015.
Identifiers: bulletinjul2015, CVE-2015-3294, DSA-3251-1, DSA-3251-2, openSUSE-SU-2015:0857-1, OSI-1502, STORM-2015-09-EN, STORM-2015-10-EN, STORM-2015-11-EN.2, STORM-2015-12-EN, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, USN-2593-1, VIGILANCE-VUL-16649.

Description of the vulnerability

The Dnsmasq includes a DNS cache.

The routine tcp_request() builds the response packet. However, the function "setup_reply" does not take into account some possible errors while evaluating the response size. Such an error would make the server return uninitialized data from the process heap and maybe reference an invalid address, and then make the server process be killed.

A local attacker can therefore read a memory fragment of Dnsmasq, in order to obtain sensitive information; and maybe make the server halt.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2013-0198

Dnsmasq: listening on all interfaces via libvirt and TCP

Synthesis of the vulnerability

When Dnsmasq is installed on a server using libvirt, Dnsmasq accepts TCP queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Impacted products: Dnsmasq, Fedora, MBS.
Severity: 1/4.
Creation date: 18/01/2013.
Identifiers: 894486, BID-57458, CVE-2013-0198, FEDORA-2013-1320, FEDORA-2013-1357, MDVSA-2013:072, VIGILANCE-VUL-12340.

Description of the vulnerability

The VIGILANCE-VUL-11750 bulletin describes a vulnerability of Dnsmasq with libvirt, which accepts queries coming from all interfaces.

This vulnerability was corrected (VIGILANCE-SOL-26802) for DNS packets on UDP. However, an attacker can still use DNS packets on TCP.

When Dnsmasq is installed on a server using libvirt, Dnsmasq therefore accepts TCP queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-3411

Dnsmasq: listening on all interfaces via libvirt

Synthesis of the vulnerability

When Dnsmasq is installed on a server using libvirt, Dnsmasq accepts queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Impacted products: Dnsmasq, Fedora, MBS, RHEL.
Severity: 1/4.
Creation date: 10/07/2012.
Identifiers: 833033, BID-54353, CVE-2012-3411, FEDORA-2012-12598, FEDORA-2012-20531, MDVSA-2013:072, RHSA-2013:0276-02, RHSA-2013:0277-02, RHSA-2013:0579-01, VIGILANCE-VUL-11750.

Description of the vulnerability

The Dnsmasq program replies to DNS and DHCP queries of clients.

A server can use libvirt to configure private network bridges. In this case, the server has a real network interface (eth0) and a virtual interface associated to virbr0 (with the IP address 1.2.3.4 for example).

The option "--bind-interfaces --interface=virbr0" of Dnsmasq indicates to only reply to queries sent to the interface virbr0.

The administrator can configure Dnsmasq with "--interface=virbr0", so only clients located on the private network (virbr0) can query Dnsmasq. However, if the router connected to eth0 is configured to forward packets for 1.2.3.4 to the server, it receives these packets. As they are destined to 1.2.3.4 (the IP address of virbr0), Dnsmasq then accepts to reply to these queries coming from eth0.

When Dnsmasq is installed on a server using libvirt, Dnsmasq therefore accepts queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2009-2957 CVE-2009-2958

Dnsmasq: vulnerabilities of TFTP

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Dnsmasq, in order to generate a denial of service or to execute code.
Impacted products: Debian, Dnsmasq, Fedora, RHEL.
Severity: 2/4.
Creation date: 01/09/2009.
Identifiers: BID-36120, BID-36121, CERTA-2009-AVI-361, CORE-2009-0820, CVE-2009-2957, CVE-2009-2958, DSA-1876-1, FEDORA-2009-10252, FEDORA-2009-10285, RHSA-2009:1238-01, VIGILANCE-VUL-8985.

Description of the vulnerability

A TFTP service can be enabled in Dnsmasq, via the "enable-tftp" option. This service is impacted by two vulnerabilities.

The tftp_request() function concatenates the TFTP root directory (generally "/var/tftpd") and the path requested by the user. However, if both paths are too long, an overflow occurs. By default, the "/var/tftpd" path is too short to generate the overflow, but if the administrator choose a longer name, an attacker can use this overflow to execute code. [severity:2/4; BID-36121, CERTA-2009-AVI-361, CVE-2009-2957]

An attacker can use TFTP options in order to force the service to dereference a NULL pointer, which stops it. [severity:1/4; BID-36120, CVE-2009-2958]

An attacker can therefore use two vulnerabilities of Dnsmasq, in order to generate a denial of service or to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Impacted products: ProxyRA, ProxySG par Blue Coat, IOS by Cisco, Cisco Router, Debian, Dnsmasq, BIG-IP Hardware, TMOS, Fedora, FreeBSD, MPE/iX, Tru64 UNIX, HP-UX, AIX, BIND, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Mandriva Corporate, Mandriva Linux, Mandriva NF, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows XP, NetBSD, NetScreen Firewall, ScreenOS, NLD, Netware, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, DNS protocol, RHEL, Slackware, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 3/4.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2008-3214

Dnsmasq: denial of service of DHCP

Synthesis of the vulnerability

An attacker can send a malicious DHCP packet in order to stop Dnsmasq.
Impacted products: Dnsmasq.
Severity: 1/4.
Creation date: 15/07/2008.
Identifiers: CVE-2008-3214, VIGILANCE-VUL-7947.

Description of the vulnerability

The Dnsmasq program provides a DNS and DHCP server.

The DHCP protocol is used by a computer to obtain an IP address. The computer can indicate the wished IP address, for example to keep the previously obtained value.

However, if the client wishes an IP address located outside the handled zone, Dnsmasq stops.

A network attacker can therefore create a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2005-0876 CVE-2005-0877

Dnsmasq : débordement et corruption de cache

Synthesis of the vulnerability

Le service Dnsmasq comporte un débordement d'un octet dans sa partie DHCP, et son cache DNS peut être corrompu.
Impacted products: Dnsmasq, Slackware.
Severity: 1/4.
Creation date: 21/07/2005.
Identifiers: BID-12897, CVE-2005-0876, CVE-2005-0877, SSA:2005-201-01, V6-UNIXDNSMASQBOFPOIS, VIGILANCE-VUL-5086.

Description of the vulnerability

Le programme Dnsmasq implémente un relais DNS et un serveur DHCP.

Un client DHCP illicite peut provoquer un débordement d'un seul octet en employant un long client-id ou nom de machine. Le programme Dnsmasq ne peut alors plus être démarré (CAN-2005-0876).

Lors de la réception d'une réponse DNS, seul les 16 bits de l'identifiant de la requête sont contrôlés. Un attaquant peut donc empoisonner le cache en envoyant de nombreuses réponses (CAN-2005-0877).
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin 3603

Multiples vulnérabilités de Zope

Synthesis of the vulnerability

A l'aide de multiples vulnérabilités de Zope, un attaquant distant peut récupérer des informations sur la configuration du serveur, ou alors faire exécuter du code script.
Impacted products: Dnsmasq, openSUSE, Unix (platform) ~ not comprehensive, Zope 2.
Severity: 2/4.
Creation date: 24/06/2003.
Revision date: 26/06/2003.
Identifiers: BID-7998, BID-7999, BID-8000, BID-8001, BID-8056, V6-UNIXZOPEMULVULN, VIGILANCE-VUL-3603.

Description of the vulnerability

Zope est un serveur d'applications Open-Source populaire. Il est disponible sur la plupart des versions d'Unix/Linux.

De multiples vulnérabilités ont été trouvées au niveau de l'implémentation de Zope.

Fuites d'informations:
 - dans une URL, lorsqu'un utilisateur passe une valeur trop grande au script "addItems", une page d'erreur s'affiche. Cette page contient des informations sensibles pouvant être utilisé pour faciliter une attaque ultérieure.
 - lorsqu'un utilisateur envoie une requête invalide vers les scripts de commerce électronique fournis en exemple par Zope, une page d'erreur s'affiche. Cette page contient le chemin d'installation complet de l'application.
 - lors d'une opération de téléchargement initié par l'utilisateur vers le serveur Zope, si le nom de fichier passé en paramètre dans l'URL n'existe pas, une page d'erreur s'affiche. Cette page contient des informations sensibles pouvant être utilisé pour faciliter une attaque ultérieure.

Cross Site Scripting:
- Zope est livré avec un script d'exemple nommé ExampledbBrowseReport. Les données passées par un utilisateur vers ce script ne sont pas vérifiées correctement. Une attaque de type Cross Site Scripting est alors possible.

Un attaquant distant peut donc exploiter diverses vulnérabilités dans le but de récupérer des informations sensibles ou de pour exécuter des scripts.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Dnsmasq: