Security researchers at Google discovered seven vulnerabilities, including three that enable remote code execution,...
in the widely used Dnsmasq server, an open source domain name system and Dynamic Host Configuration Protocol package.
The Dnsmasq server software is bundled with Android, as well as many versions of Linux, and it has been ported to other Unix-like OSes. Dnsmasq includes servers for DNS and DHCP, and it's widely used in entry-level network routers, as well as other internet-of-things (IoT) devices.
"Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot," the Google research team wrote in the blog post announcing the vulnerabilities and the availability of patches for the flaws. "This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks."
The research team -- which includes Fermin Serna, staff software engineer; Matt Linton, senior security engineer; and Kevin Stadmeyer, technical program manager -- published detailed instructions for their proof-of-concept exploits of the Dnsmasq server code. The three remote code execution vulnerabilities included CVE-2017-14491, "a DNS-based vulnerability that affects both directly exposed and internal network setups," and CVE-2017-14493, "a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability," according to the Google researchers. The other RCE vulnerability was CVE-2017-14492, allowing attackers to use a heap-based overflow flaw in DHCP.
The other vulnerabilities included CVE-2017-14494, a data-leak flaw in the Dnsmasq DHCP code; CVE-2017-14495, an out-of-memory and denial-of-service bug in DNS; and CVE-2017-14496 and CVE-2017-13704, DoS bugs in DNS.
The Google team worked with Simon Kelley, the U.K. open source developer responsible for Dnsmasq, to patch and mitigate the issues. Dnsmasq server version 2.78, published on Oct. 2, fixes the vulnerabilities.
In other news
- A new challenge on the use of standard contractual clauses (SCCs) to protect personal data transferred outside of the European Union is on its way to the Court of Justice of the EU (CJEU). The decision is the latest development in the legal campaign by Max Schrems to stop Facebook from transferring data about EU residents to the United States without guaranteeing the safety of that data from mass surveillance by U.S. authorities. Schrems is the Austrian attorney who, as a law student in 2013, sued Facebook over the data transfers. The CJEU's decision in that case scuttled Safe Harbor, the long-standing framework for trans-Atlantic data flows. "The referral of the case to the European court means that the adequacy of SCCs as a legal transfer mechanism will be put into question," Deema Freij, global data privacy officer for New York-based enterprise software maker Intralinks Inc., told SearchSecurity. "After the decision in October 2015, which invalidated the Safe Harbor framework, most companies were left in limbo before the EU-U.S. Privacy Shield framework was implemented. And, as such, there was a rush for companies to put in place standard contractual clauses to ensure that an adequate and legal transfer mechanism was put in place. I would say that even after the EU-U.S. Privacy Shield framework was implemented, most companies still felt the safest route was to enter into standard contractual clauses in case another rerun of the invalidation of Safe Harbor occurred with reference to Privacy Shield."
- Hewlett Packard Enterprise shared source code with a Russian defense agency for security software also used by the U.S. military, Reuters reported. HPE submitted the code for review to comply with Russian regulations so it could sell its ArcSight security information and event management software to Russian customers. HPE provided the source code to the Russian company Echelon, which reviewed the code for Russia's Federal Service for Technical and Export Control. In a statement, HPE noted that the code review has been required under Russian law "for years" to test for backdoors, and the review was conducted under HPE supervision. The review occurred last year, before HPE concluded its sale of ArcSight to Micro Focus earlier this year.
- In the wake of the Equifax data breach, White House cybersecurity coordinator Rob Joyce said it may be time to replace Social Security numbers as a national identification code -- and discussion is already underway at the policy level in the current administration to consider replacements. "I feel very strongly that the Social Security number [has] outlived its usefulness. It's a flawed system," Joyce said Tuesday at The Washington Post's Cybersecurity Summit. Joyce said he has begun soliciting proposals from departments and agencies for a replacement for the Social Security number, perhaps using technologies that employ public and private keys. Joyce made similar comments during a keynote this week at the Cambridge Cyber Summit in Boston.
Learn about the potential risks of commingling public and IoT clouds
Find out how DNS can be made more secure
Read up on how to defend the domain name system