A team of Google security researchers has discovered a set of security vulnerabilities in the Dnsmasq software package that could have potentially enabled a remote code execution by an attacker.
Dnsmasq is a widely used open-source network utilities program that provides local DNS (Domain Name Service) services as well as DHCP (Dynamic Host Configuration Protocol) capabilities. Among the many places where Dnsmasq is used is inside of Google’s Android mobile operating system, as well as in the Kubernetes container orchestration system.
“During our review, the team found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017,” the Google researchers wrote in a blog post.
All of the Dnsmasq vulnerabilities discovered by the Google researchers have now been patched in the upstream project as of the 2.78 release, which became generally available on Oct. 2. In addition, Google has developed an additional patch that will provide improved sandboxing for Dnsmasq. The additional patch provides a seccomp (SECure COMPuting) filter for Linux that enables enhanced control for Dnsmasq.
The use of sandbox techniques—that is, technologies that restrict the actions of a given process to a certain section of system memory—is already in use on Google’s Android operating system. Among the remote code execution issues is CVE-2017-14496, which Google has now patched in the October Android update.
“Android is affected by CVE-2017-14496 when the attacker is local or tethered directly to the device—the service itself is sandboxed so the risk is reduced,” the Google researchers stated.
In addition to the Dnsmasq fix, the October Android update once again is providing users with patches for the much maligned media framework. In total, Google has patched the Android media framework for six issues, three of which (CVE-2017-0809, CVE-2017-0810, CVE-2017-081) are identified as critical remote code execution vulnerabilities. The mediaserver library has been the subject of intense scrutiny since July 2015, when the Stagefright flaws were first revealed.
The Android mediaserver has been patched in every Android security update issued by Google since August 2015.
The impact of the Dnsmasq vulnerability goes beyond just Android and is embedded in other software as well as networking devices.
“This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices,” the researchers wrote in a blog post. “Dnsmasq is widely used both on the open internet and internally in private networks.”
Among the impacted software applications is Kubernetes, which has become an increasingly popular and widely deployed system by multiple vendors for container orchestration. The recently released Kubernetes 1.8 milestone, as well as earlier versions including 1.5.8, 1.6.11 and 1.7.7, has been updated with the patched version of Dnsmasq.
Linux vendor Red Hat has specifically highlighted the CVE-2017-14491 remote code execution vulnerability in Dnsmasq as being the worst of the seven issues.
“To trigger this flaw, an attacker would need to control a malicious domain (eg, evil.com) and send DNS requests to dnsmasq that would cause it to cache replies from that domain,” Red Hat warned in its advisory. “By carefully constructing DNS requests and responses, dnsmasq could be made to overflow an internal buffer on the heap, using content influenced by the attacker. This could potentially be used to achieve code execution.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
