The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Dnsmasq

threat announce CVE-2019-14513

Dnsmasq: out-of-bounds memory reading via do_doctor

Synthesis of the vulnerability

An attacker can force a read at an invalid address via do_doctor() of Dnsmasq, in order to trigger a denial of service, or to obtain sensitive information.
Severity: 2/4.
Creation date: 02/08/2019.
Identifiers: CVE-2019-14513, DLA-1921-1, VIGILANCE-VUL-29933.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can force a read at an invalid address via do_doctor() of Dnsmasq, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2017-15107

Dnsmasq: denial of service via NSEC

Synthesis of the vulnerability

An attacker can make Dnsmasq declare that a domain does not exist, because of an error in the signature check step, in order to trigger a denial of service.
Severity: 1/4.
Creation date: 22/01/2018.
Identifiers: bulletinjan2019, CVE-2017-15107, FEDORA-2018-9780220f7d, FEDORA-2018-fbe4017846, SUSE-SU-2019:14190-1, SUSE-SU-2019:1721-1, VIGILANCE-VUL-25130.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can make Dnsmasq declare that a domain does not exist, because of an error in the signature check step, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2017-13704 CVE-2017-14491 CVE-2017-14492

Dnsmasq: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Dnsmasq.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 02/10/2017.
Identifiers: ARUBA-PSA-2017-005, CERTFR-2017-AVI-329, CVE-2017-13704, CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, DLA-1124-1, DSA-3989-1, FEDORA-2017-24f067299e, FEDORA-2017-515264ae24, openSUSE-SU-2017:2633-1, OSSN/OSSN-0082, RHSA-2017:2836-01, RHSA-2017:2837-01, RHSA-2017:2838-01, RHSA-2017:2839-01, RHSA-2017:2840-01, RHSA-2017:2841-01, SSA:2017-275-01, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, Synology-SA-17:59, USN-3430-1, USN-3430-2, USN-3430-3, VIGILANCE-VUL-24005, VU#973527.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use several vulnerabilities of Dnsmasq.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 22887

Dnsmasq: information disclosure via TFTP

Synthesis of the vulnerability

A local attacker can read a memory fragment via a TFTP packet used by Dnsmasq, in order to obtain sensitive information.
Severity: 1/4.
Creation date: 02/06/2017.
Identifiers: VIGILANCE-VUL-22887.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A local attacker can read a memory fragment via a TFTP packet used by Dnsmasq, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2015-8899

Dnsmasq: denial of service via requests for type AAAA

Synthesis of the vulnerability

An attacker can send a request for an IPv6 address to Dnsmasq, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 06/06/2016.
Identifiers: CVE-2015-8899, FEDORA-2016-6db1c9eb69, FEDORA-2016-da2f9c22b4, openSUSE-SU-2017:0016-1, SUSE-SU-2016:3199-1, SUSE-SU-2016:3269-1, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, USN-3009-1, VIGILANCE-VUL-19799.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Dnsmasq product includes a DNS cache server.

However, when the server receives a request for an IPv6 address and that the /etc/hosts file includes an IPv6 address but not an IPv4 one; the record of the external server answer triggers a fatal error and then a server crash.

An attacker can therefore send a request for an IPv6 address to Dnsmasq, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2015-3294

Dnsmasq: information disclosure via tcp_request

Synthesis of the vulnerability

A local attacker can read a memory fragment of Dnsmasq, in order to obtain sensitive information; and maybe make the server halt.
Severity: 2/4.
Creation date: 17/04/2015.
Identifiers: bulletinjul2015, CVE-2015-3294, DSA-3251-1, DSA-3251-2, openSUSE-SU-2015:0857-1, OSI-1502, STORM-2015-09-EN, STORM-2015-10-EN, STORM-2015-11-EN.2, STORM-2015-12-EN, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, USN-2593-1, VIGILANCE-VUL-16649.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Dnsmasq includes a DNS cache.

The routine tcp_request() builds the response packet. However, the function "setup_reply" does not take into account some possible errors while evaluating the response size. Such an error would make the server return uninitialized data from the process heap and maybe reference an invalid address, and then make the server process be killed.

A local attacker can therefore read a memory fragment of Dnsmasq, in order to obtain sensitive information; and maybe make the server halt.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2013-0198

Dnsmasq: listening on all interfaces via libvirt and TCP

Synthesis of the vulnerability

When Dnsmasq is installed on a server using libvirt, Dnsmasq accepts TCP queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Severity: 1/4.
Creation date: 18/01/2013.
Identifiers: 894486, BID-57458, CVE-2013-0198, FEDORA-2013-1320, FEDORA-2013-1357, MDVSA-2013:072, VIGILANCE-VUL-12340.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The VIGILANCE-VUL-11750 bulletin describes a vulnerability of Dnsmasq with libvirt, which accepts queries coming from all interfaces.

This vulnerability was corrected (VIGILANCE-SOL-26802) for DNS packets on UDP. However, an attacker can still use DNS packets on TCP.

When Dnsmasq is installed on a server using libvirt, Dnsmasq therefore accepts TCP queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2012-3411

Dnsmasq: listening on all interfaces via libvirt

Synthesis of the vulnerability

When Dnsmasq is installed on a server using libvirt, Dnsmasq accepts queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Severity: 1/4.
Creation date: 10/07/2012.
Identifiers: 833033, BID-54353, CVE-2012-3411, FEDORA-2012-12598, FEDORA-2012-20531, MDVSA-2013:072, RHSA-2013:0276-02, RHSA-2013:0277-02, RHSA-2013:0579-01, VIGILANCE-VUL-11750.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Dnsmasq program replies to DNS and DHCP queries of clients.

A server can use libvirt to configure private network bridges. In this case, the server has a real network interface (eth0) and a virtual interface associated to virbr0 (with the IP address 1.2.3.4 for example).

The option "--bind-interfaces --interface=virbr0" of Dnsmasq indicates to only reply to queries sent to the interface virbr0.

The administrator can configure Dnsmasq with "--interface=virbr0", so only clients located on the private network (virbr0) can query Dnsmasq. However, if the router connected to eth0 is configured to forward packets for 1.2.3.4 to the server, it receives these packets. As they are destined to 1.2.3.4 (the IP address of virbr0), Dnsmasq then accepts to reply to these queries coming from eth0.

When Dnsmasq is installed on a server using libvirt, Dnsmasq therefore accepts queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Full Vigil@nce bulletin... (Free trial)

weakness note CVE-2009-2957 CVE-2009-2958

Dnsmasq: vulnerabilities of TFTP

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Dnsmasq, in order to generate a denial of service or to execute code.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/09/2009.
Identifiers: BID-36120, BID-36121, CERTA-2009-AVI-361, CORE-2009-0820, CVE-2009-2957, CVE-2009-2958, DSA-1876-1, FEDORA-2009-10252, FEDORA-2009-10285, RHSA-2009:1238-01, VIGILANCE-VUL-8985.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A TFTP service can be enabled in Dnsmasq, via the "enable-tftp" option. This service is impacted by two vulnerabilities.

The tftp_request() function concatenates the TFTP root directory (generally "/var/tftpd") and the path requested by the user. However, if both paths are too long, an overflow occurs. By default, the "/var/tftpd" path is too short to generate the overflow, but if the administrator choose a longer name, an attacker can use this overflow to execute code. [severity:2/4; BID-36121, CERTA-2009-AVI-361, CVE-2009-2957]

An attacker can use TFTP options in order to force the service to dereference a NULL pointer, which stops it. [severity:1/4; BID-36120, CVE-2009-2958]

An attacker can therefore use two vulnerabilities of Dnsmasq, in order to generate a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Severity: 3/4.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Dnsmasq: