From the authors’ website, “Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot.” In practice, the Dnsmasq code has been widely leveraged in routers, firewalls, IoT devices, virtualization frameworks and even mobile devices when you need to set up a portable hotspot. In other words, there is a lot of Dnsmasq code “in the wild” and bugs in this code could be a big deal depending on the nature of the vulnerabilities.
Of the seven issues identified by Google, three allow for Remote Command Execution, three are Denial of Service vulnerabilities, and one could result in “Information Leakage.”
Google has been working internally and with the Dnsmasq team to fix these issues. The project’s git repository has been updated with the appropriate patches, Dnsmasq v2.78 includes the patches and the October Google security patch update includes fixes for the Dnsmasq vulnerabilities. In addition, from the Google Security Blog, “Kubernetes versions 1.5.8, 1.6.11, 1.7.7 and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.”
And ensuring that you have all of the information necessary to manage your Dnsmasq risk, Google has also uploaded Python Proof of Concept code to their git repository.
You can download this code to test your environment, identify your vulnerabilities, and determine the priority to remediate based on your specific risk.
Security research and vulnerability disclosure are rarely straightforward. Timing, capabilities, and willingness to respond to issues by vendors and customers all must be considered and rarely align. Disclosing vulnerabilities increases the risk to organizations, but at the same time, it provides the necessary information to manage the risk. In this case, Google researchers and the Dnsmasq team worked together to provide all the right information and tools in a very responsible manner. Now it is up to Dnsmasq users to step up and patch where necessary.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.