From the authors’ website, “Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot.” In practice, the Dnsmasq code has been widely leveraged in routers, firewalls, IoT devices, virtualization frameworks and even mobile devices when you need to set up a portable hotspot. In other words, there is a lot of Dnsmasq code “in the wild” and bugs in this code could be a big deal depending on the nature of the vulnerabilities.
Dnsmasq can be found in Linux distributions, smartphones, routers, and many IoT devices.
Siemens, like other companies, warned of the risks related to the set of flaws discovered by Google. Siemens published a security advisory to confirm that four of the seven vulnerabilities affect some of its SCALANCE products, including W1750D controller-based direct access points, M800 industrial routers, and S615 firewalls.
The ICS-CERT also published an advisory on the flaws affecting Siemens products.
Three of the vulnerabilities (CVE-2017-13704, CVE-2017-14495 and CVE-2017-14496) can be exploited by attackers to crash the Dnsmasq process by sending specially crafted requests to the service on UDP port 53.
“Vulnerability 1 (CVE-2017-13704) – An attacker can cause a crash of the DNSmasq process by sending specially crafted request messages to the service on port 53/udp” reads the advisory.
The Siemens SCALANCE products are also affected by the CVE-2017-14491 flaw, that could be exploited by attackers to trigger a DoS condition or possibly execute arbitrary code on the vulnerable device.
“An attacker can cause a crash or potentially execute arbitrary code by sending specially crafted DNS responses to the DNSmasq process. In order to exploit this vulnerability, an attacker must be able to trigger DNS requests from the device, and must be in a position that allows him to inject malicious DNS responses, e.g. the attacker must be in a Man-inthe-Middle position.” continues the advisory.
Siemens is working on security patches to address the Dnsmasq flaws in its products. Waiting for the fixes users need to adopt the suggested mitigations, such as using firewall rules to block incoming traffic on UDP port 53 (applies to W1750D if OpenDNS, Captive Portal or URL redirection functionality is not used), and disabling the DNS proxy and configure devices to use a different DNS server (applies to M800 and S615).
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.