back to article Dnsmasq and the seven flaws: Patch these nasty remote-control holes

Google security engineers have spotted not one, not two, but seven serious flaws in Dnsmasq, a fairly widely used DNS forwarder and DHCP server. This open-source program is present in a lot of home routers and certain Internet of Things gadgets, and included in desktop Linux distributions such as Ubuntu and Debian. According …

  1. Phil Endecott

    In my quick look at the Google security blog I wasn't sure whether "remote" meant "from the outside internet" or "from another machine on the local network". For example, the DHCP bugs are surely only going to be exploitable by local machines, right? Do DNS bugs require that the attacker is controlling replies to DNS requests that I make? That would be tricky if my dnsmasq is forwarding to my ISPs DNS, for example.

    1. Voland's right hand Silver badge

      It can be from the outside Internet

      Their POC code requires both a query and a sequence of answers. You can run the POC only from inside. I could not be arsed at this time of the day to decipher the actual hex contents of the query(ies), it may be possible to create them as a side effect of running normal web code f.e. javascript.

      The mitigating factors are that you have to guess what is it. Arm (dnsmasq if memory serves me right is used in wireless tethering on Android), MIPS32 (most routers), x86 (a few firewalls and an occasional internet device here and there), etc. You get one chance to try as the result is a crashed dnsmasq.

      Personally, I would not risk it. I had only one instance in use outside lab work (my mom's house) and even that just got disabled and replaced by a proper adult bind + isc dhcp server combination running on the razzie which controls the cctv.

      1. Wensleydale Cheese

        Re: It can be from the outside Internet

        "Personally, I would not risk it. I had only one instance in use outside lab work (my mom's house) and even that just got disabled and replaced by a proper adult bind + isc dhcp server combination running on the razzie which controls the cctv."

        Noted and thanks. I've been trying dnsmasq out on a Raspberry Pi, but find the documentation somewhere between hard work and impenetrable.

        I've used bind and isc dhcp server before and will probably be more comfortable with those.

    2. Anonymous Coward
      Anonymous Coward

      Great - so presumably as this is remotely exploitable we can look forward to lots more Linux / other OSS things with festering worm infections...

    3. Anonymous Coward
      Anonymous Coward

      My Synology NAS received a patch for this today.

  2. SloppyJesse

    @Phil Endecott - that was my first thought too, since dnsmasq is typically sitting at a network boundary.

    Pretty sure openwrt uses dnsmasq, probably other open source firmwares too, and all those closed source routers that are probably never going to get an update.

  3. Anonymous Coward
    Anonymous Coward

    Maybe Corps relying of this code should stump up some cash for dev time.

    They like to launch their big packages on the world to gain kudos but ignore the small stuf they depend on.

  4. Anonymous Coward
    Anonymous Coward

    An interesting issue for routers

    Since dnsmasq services aren't exposed to the internet remote exploits to routers (whether commercial or open source) using it aren't a concern. The only way to exploit your router is for an attack to get code to run inside your network - via some type of browser based exploit, perhaps. But to what end? Once your router reboots, the malware will disappear - the malware can't rewrite individual binaries it would have to upload new firmware with all new binaries if it wanted to become a permanent resident on your router.

    Configuring your router to reboot daily might be a good idea, to eliminate the chance of becoming part of some long lived botnet sending out spam or whatever an army of low performance devices is used for by black hats these days.

  5. Outer mongolian custard monster from outer space (honest)

    One someone can get remote code execution on your local devices, its game over. Its trivial to generate say a reverse shell tcp connection as part of that payload, and have it traverse a nat gateway, even wrap it up to look like normal web traffic or pick a common port (and since this is a dns attack, I'd be telling it to use 53 outbound since to forward it has to have that open). If the payload isnt large enough to support a full binary, its easy to generate a staged payload and boot strap in a larger component, or instruct the device to download the payload proper via its own means (wget, curl etc if installed).

    A lot of people may say "oh they only have my router/print server/nas box, its ok", but no, what they have then is a really good foothold inside your permiter defences and a great point to further attack/enumerate your privileged lan.

    As for how to make this a full remote exploit, it might take some creativity because on the surface you only answer queries from the local subnet to start with, but what if someone sends your client machines a email with urls, or they are redirected to a sequence of domains by a infected page or advert? will your local subnet dnsmasq server not get asked for those domains to be looked up if they look like domain names?

    Patching the stuff I can thats affected as quick as I can here. You pays your money and takes your choice.

  6. Anonymous South African Coward Silver badge

    Remember, ne'er-do-wells think outside the box.

  7. niknah

    I've seen dnsmasq in small routers mostly.

    I don't think people who made a few cents or $1 from selling a small router are going to be bothered updating their ROMs.

  8. Manolo
    Thumb Up

    Patches available

    I'm running Mint 17.3 and just found the patch waiting for me.

  9. Oh Homer
    Trollface

    Where's my patch?

    I'm surfing on an HP48GX graphing calculator via a US Robotics 33.6K modem.

    Am I vulnerable?

  10. DMen1k

    Hello.I have just ran a network scan with Avast,on my Win7 PC.It states my WDMC h/d & BT Smart Hub Router's Firmware (it states,it was updated 17th of Jan) needs updating & is vunerable.Could you please point me in the right direction,of finding out how to install a patch, to remedy this if possible.

    Thanx

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021