Google security experts disclosed seven distinct vulnerabilities in the Dnsmasq software package.

Regardless of what you may think of Google as a company, it is difficult to criticize their prolific and in-depth security research. The latest example is their disclosure of seven distinct issues in the Dnsmasq software package.

From the authors’ website, “Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot.” In practice, the Dnsmasq code has been widely leveraged in routers, firewalls, IoT devices, virtualization frameworks and even mobile devices when you need to set up a portable hotspot. In other words, there is a lot of Dnsmasq code “in the wild” and bugs in this code could be a big deal depending on the nature of the vulnerabilities.

Of the seven issues identified by Google, three allow for Remote Command Execution, three are Denial of Service vulnerabilities, and one could result in “Information Leakage.”

Google has been working internally and with the Dnsmasq team to fix these issues. The project’s git repository has been updated with the appropriate patches, Dnsmasq v2.78 includes the patches and the October Google security patch update includes fixes for the Dnsmasq vulnerabilities. In addition, from the Google Security Blog, “Kubernetes versions 1.5.8, 1.6.11, 1.7.7 and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.”

Going above and beyond, Google has also submitted a patch to the Dnsmasq project which allows for Dnsmasq to be run under seccomp-bpf filtering — which provides some additional sandboxing protections should any new bugs be identified in the future.

And ensuring that you have all of the information necessary to manage your Dnsmasq risk, Google has also uploaded Python Proof of Concept code to their git repository.

You can download this code to test your environment, identify your vulnerabilities, and determine the priority to remediate based on your specific risk.

Security research and vulnerability disclosure are rarely straightforward. Timing, capabilities, and willingness to respond to issues by vendors and customers all must be considered and rarely align. Disclosing vulnerabilities increases the risk to organizations, but at the same time, it provides the necessary information to manage the risk. In this case, Google researchers and the Dnsmasq team worked together to provide all the right information and tools in a very responsible manner. Now it is up to Dnsmasq users to step up and patch where necessary.

About the author: Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter. has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter. Pierluigi Paganini (Security Affairs – hacking, DNS)

Share this...

Linkedin Reddit Pinterest

Share On