Google researchers have discovered seven serious vulnerabilities in Dnsmasq, a lightweight, widely used DNS forwarder and DHCP server for small computer networks.
Dnsmasq is mainly written and maintained by Simon Kelley, and is open source. It can run on Linux, BSD, Android and macOS. It is included in most Linux distributions, and is also commonly found in home routers, firewalls, and IoT devices.
The vulnerabilities affect Dnsmasq versions 2.77 and earlier, and are seven: three remote code execution, one information leak, and three denial of service flaws. They can be triggered remotely via DNS and DHCP protocols.
According to Kelley, some of these have been in Dnsmasq “since prehistoric times, and have remained undetected through multiple previous security audits.”
They were discovered by the Google security team during their regular internal security assessments, and responsibly disclosed to Kelley, along with PoC code. He fixed them in v2.78 (released on Monday).
Google says that the patches they helped create have been upstreamed and are committed to the project’s git repository. They’ve also submitted for review another patch they believe will increase the security of Dnsmasq installations, by running Dnsmasq under seccomp-bpf to allow for additional sandboxing.
More details about the flaws can be found here.
Kelley said that updates to distribution packages, firmware images and Android should be available “now or very soon.”
“Android partners have received this patch as well and it will be included in Android’s monthly security update for October,” Google noted. “Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.”
A (likely incomplete) list of vendors whose products might be affected by these flaws has been set up by CERT/CC, so if you’re using one or more of them, check with the vendors for more information and security updates.