On October 2nd, the Google security blog announced several vulnerabilities in a piece of software called DNSMasq, which offers DNS forwarding and DHCP services for small computer networks. Days before, IT Briefcase published an article I wrote about indicators of compromise in DNS logs. The article explains that an exploited DNS server may offer the path from an external to an internal network because it lives on the boundary between the two.
A DNS Forwarder, such as DNSMasq, protects internal resources, rather than exposing them to the Internet. The forwarder makes queries to external servers on behalf of hosts inside the network and returns results. The DNS Made Easy blog recommends separate external and internal DNS servers for improved performance and security. Protecting internal hosts from Internet traffic prevents attackers from scanning and compromising them directly.
Attacking the DNS Forwarder accessible from the Internet allows an attacker to gain a foothold into the private network. A firewall may block access from a host on the Internet to an internal host but may let the server that is hosting the DNS Forwarder to contact the otherwise unreachable host. Once an attacker compromises the machine hosting the DNS Forwarder, software on that server can access the internal network, if the networking rules allow it.
As with many software vulnerabilities, the method of attack used by these CVEs is to pass invalid input to the software. Malformed data then allows the attacker to execute commands that the system would otherwise disallow, cause a denial of service attack, or crash the system. The specific CVEs are as follows:
CVE-2017-14491 – Overflow that enables remote code execution.
CVE-2017-14492 – Heap-based overflow allows remote code execution.
CVE-2017-14493 – Buffer overflow enables remote code execution.
CVE-2017-14494 – DHCP leak used with CVE-2017-14493 to execute code.
CVE-2017-14495 – Denial of service by using up all available memory.
CVE-2017-14496 – Invalid boundary checks in the DNS software.
CVE-2017-13704 – DNS query crashes the software.
Anyone running DNSMasq should update the software to the latest version. Unfortunately, the software download site delivers the software in clear text instead of HTTPS (encrypted) and I cannot find a checksum to verify the version of software downloaded matches what the author released so developers will need to find other ways to verify the downloaded software matches what the author released.
DNSMasq can run on many Linux distributions, Android, BSD, and OS X. The software exists in many networking devices that offer DNS and DHCP services that run on these operating systems. Other software that includes DNS features such as Kubernetes, a popular piece of software used to manage containers in micro-services environments, also use this software. Companies should check with equipment and software vendors that include these features to find out if a device uses this software and if the company has released an update.
This vulnerability affects the WatchGuard Firebox, but only if customers have the DNS Forwarding feature enabled. DHCP is unaffected. The 11.11.2 was the first release that included this software. Our engineers are testing a patch which customers will be able to download shortly. Future Secplicity blog posts and the WatchGuard customer portal will provide more information.
If a patch does not yet exist from a vendor, disabling services and creating stricter network rules around the DNS and DHCP server may help. Additionally, companies can monitor firewall, DNS, and DHCP traffic logs for suspicious behavior that indicates a malware has infected a host on the network. — Teri Radichel (@teriradichel)