The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Dnsmasq

vulnerability CVE-2017-15107

Dnsmasq: denial of service via NSEC

Synthesis of the vulnerability

An attacker can make Dnsmasq declare that a domain does not exist, because of an error in the signature check step, in order to trigger a denial of service.
Impacted products: Dnsmasq, Fedora, Solaris, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: client access/rights, denial of service on service.
Provenance: internet server.
Creation date: 22/01/2018.
Identifiers: bulletinjan2019, CVE-2017-15107, FEDORA-2018-9780220f7d, FEDORA-2018-fbe4017846, SUSE-SU-2019:1721-1, VIGILANCE-VUL-25130.

Description of the vulnerability

An attacker can make Dnsmasq declare that a domain does not exist, because of an error in the signature check step, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-13704 CVE-2017-14491 CVE-2017-14492

Dnsmasq: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Dnsmasq.
Impacted products: ArubaOS, Debian, Dnsmasq, Fedora, Android OS, Kubernetes, openSUSE Leap, pfSense, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 4/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 02/10/2017.
Identifiers: ARUBA-PSA-2017-005, CERTFR-2017-AVI-329, CVE-2017-13704, CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, DLA-1124-1, DSA-3989-1, FEDORA-2017-24f067299e, FEDORA-2017-515264ae24, openSUSE-SU-2017:2633-1, OSSN/OSSN-0082, RHSA-2017:2836-01, RHSA-2017:2837-01, RHSA-2017:2838-01, RHSA-2017:2839-01, RHSA-2017:2840-01, RHSA-2017:2841-01, SSA:2017-275-01, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, Synology-SA-17:59, USN-3430-1, USN-3430-2, USN-3430-3, VIGILANCE-VUL-24005, VU#973527.

Description of the vulnerability

An attacker can use several vulnerabilities of Dnsmasq.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 22887

Dnsmasq: information disclosure via TFTP

Synthesis of the vulnerability

A local attacker can read a memory fragment via a TFTP packet used by Dnsmasq, in order to obtain sensitive information.
Impacted products: Dnsmasq.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 02/06/2017.
Identifiers: VIGILANCE-VUL-22887.

Description of the vulnerability

A local attacker can read a memory fragment via a TFTP packet used by Dnsmasq, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-8899

Dnsmasq: denial of service via requests for type AAAA

Synthesis of the vulnerability

An attacker can send a request for an IPv6 address to Dnsmasq, in order to trigger a denial of service.
Impacted products: Dnsmasq, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 06/06/2016.
Identifiers: CVE-2015-8899, FEDORA-2016-6db1c9eb69, FEDORA-2016-da2f9c22b4, openSUSE-SU-2017:0016-1, SUSE-SU-2016:3199-1, SUSE-SU-2016:3269-1, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, USN-3009-1, VIGILANCE-VUL-19799.

Description of the vulnerability

The Dnsmasq product includes a DNS cache server.

However, when the server receives a request for an IPv6 address and that the /etc/hosts file includes an IPv6 address but not an IPv4 one; the record of the external server answer triggers a fatal error and then a server crash.

An attacker can therefore send a request for an IPv6 address to Dnsmasq, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-3294

Dnsmasq: information disclosure via tcp_request

Synthesis of the vulnerability

A local attacker can read a memory fragment of Dnsmasq, in order to obtain sensitive information; and maybe make the server halt.
Impacted products: Arkoon FAST360, Debian, Dnsmasq, openSUSE, Solaris, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Creation date: 17/04/2015.
Identifiers: bulletinjul2015, CVE-2015-3294, DSA-3251-1, DSA-3251-2, openSUSE-SU-2015:0857-1, OSI-1502, STORM-2015-09-EN, STORM-2015-10-EN, STORM-2015-11-EN.2, STORM-2015-12-EN, SUSE-SU-2017:2616-1, SUSE-SU-2017:2617-1, SUSE-SU-2017:2619-1, USN-2593-1, VIGILANCE-VUL-16649.

Description of the vulnerability

The Dnsmasq includes a DNS cache.

The routine tcp_request() builds the response packet. However, the function "setup_reply" does not take into account some possible errors while evaluating the response size. Such an error would make the server return uninitialized data from the process heap and maybe reference an invalid address, and then make the server process be killed.

A local attacker can therefore read a memory fragment of Dnsmasq, in order to obtain sensitive information; and maybe make the server halt.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-0198

Dnsmasq: listening on all interfaces via libvirt and TCP

Synthesis of the vulnerability

When Dnsmasq is installed on a server using libvirt, Dnsmasq accepts TCP queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Impacted products: Dnsmasq, Fedora.
Severity: 1/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 18/01/2013.
Identifiers: 894486, BID-57458, CVE-2013-0198, FEDORA-2013-1320, FEDORA-2013-1357, MDVSA-2013:072, VIGILANCE-VUL-12340.

Description of the vulnerability

The VIGILANCE-VUL-11750 bulletin describes a vulnerability of Dnsmasq with libvirt, which accepts queries coming from all interfaces.

This vulnerability was corrected (VIGILANCE-SOL-26802) for DNS packets on UDP. However, an attacker can still use DNS packets on TCP.

When Dnsmasq is installed on a server using libvirt, Dnsmasq therefore accepts TCP queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-3411

Dnsmasq: listening on all interfaces via libvirt

Synthesis of the vulnerability

When Dnsmasq is installed on a server using libvirt, Dnsmasq accepts queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Impacted products: Dnsmasq, Fedora, RHEL.
Severity: 1/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 10/07/2012.
Identifiers: 833033, BID-54353, CVE-2012-3411, FEDORA-2012-12598, FEDORA-2012-20531, MDVSA-2013:072, RHSA-2013:0276-02, RHSA-2013:0277-02, RHSA-2013:0579-01, VIGILANCE-VUL-11750.

Description of the vulnerability

The Dnsmasq program replies to DNS and DHCP queries of clients.

A server can use libvirt to configure private network bridges. In this case, the server has a real network interface (eth0) and a virtual interface associated to virbr0 (with the IP address 1.2.3.4 for example).

The option "--bind-interfaces --interface=virbr0" of Dnsmasq indicates to only reply to queries sent to the interface virbr0.

The administrator can configure Dnsmasq with "--interface=virbr0", so only clients located on the private network (virbr0) can query Dnsmasq. However, if the router connected to eth0 is configured to forward packets for 1.2.3.4 to the server, it receives these packets. As they are destined to 1.2.3.4 (the IP address of virbr0), Dnsmasq then accepts to reply to these queries coming from eth0.

When Dnsmasq is installed on a server using libvirt, Dnsmasq therefore accepts queries coming from all interfaces, so an attacker can for example create a distributed denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2957 CVE-2009-2958

Dnsmasq: vulnerabilities of TFTP

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Dnsmasq, in order to generate a denial of service or to execute code.
Impacted products: Debian, Dnsmasq, Fedora, RHEL.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/09/2009.
Identifiers: BID-36120, BID-36121, CERTA-2009-AVI-361, CORE-2009-0820, CVE-2009-2957, CVE-2009-2958, DSA-1876-1, FEDORA-2009-10252, FEDORA-2009-10285, RHSA-2009:1238-01, VIGILANCE-VUL-8985.

Description of the vulnerability

A TFTP service can be enabled in Dnsmasq, via the "enable-tftp" option. This service is impacted by two vulnerabilities.

The tftp_request() function concatenates the TFTP root directory (generally "/var/tftpd") and the path requested by the user. However, if both paths are too long, an overflow occurs. By default, the "/var/tftpd" path is too short to generate the overflow, but if the administrator choose a longer name, an attacker can use this overflow to execute code. [severity:2/4; BID-36121, CERTA-2009-AVI-361, CVE-2009-2957]

An attacker can use TFTP options in order to force the service to dereference a NULL pointer, which stops it. [severity:1/4; BID-36120, CVE-2009-2958]

An attacker can therefore use two vulnerabilities of Dnsmasq, in order to generate a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Impacted products: ProxyRA, ProxySG par Blue Coat, IOS by Cisco, Cisco Router, Debian, Dnsmasq, BIG-IP Hardware, TMOS, Fedora, FreeBSD, MPE/iX, Tru64 UNIX, HP-UX, AIX, BIND, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Mandriva Linux, Mandriva NF, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows XP, NetBSD, NetScreen Firewall, ScreenOS, NLD, Netware, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, DNS protocol, RHEL, Slackware, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 3/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-3214

Dnsmasq: denial of service of DHCP

Synthesis of the vulnerability

An attacker can send a malicious DHCP packet in order to stop Dnsmasq.
Impacted products: Dnsmasq.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: LAN.
Creation date: 15/07/2008.
Identifiers: CVE-2008-3214, VIGILANCE-VUL-7947.

Description of the vulnerability

The Dnsmasq program provides a DNS and DHCP server.

The DHCP protocol is used by a computer to obtain an IP address. The computer can indicate the wished IP address, for example to keep the previously obtained value.

However, if the client wishes an IP address located outside the handled zone, Dnsmasq stops.

A network attacker can therefore create a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Dnsmasq: