Critical Dnsmasq Flaws Put Networking Devices, Linux Systems at Risk

If you have Linux systems in your environment—desktops, servers, routers and other networking devices—you should install the latest patches for the dnsmasq package as soon as they become available.

Security researchers from Google found seven vulnerabilities in the widely used open-source software, which provides networking services for small networks, including three flaws that could allow for remote code execution.

Dnsmasq is included in most Linux distributions by default, as well as in FreeBSD, OpenBSD, NetBSD, macOS and Android. It provides DNS, DHCP, router advertisement, network boot and IPv6 services.

Because of its use in various operating systems, the software is also present in a variety of devices, including firewalls, routers, phones, tablets, servers, desktops and laptops. Users should look for patches from their Linux distribution maintainers or their device manufacturers. The flaws have been fixed by the dnsmasq maintainer Simon Kelley in version 2.78, released Monday.

The most serious vulnerability is tracked as CVE-2017-14491 and is located in dnsmasq’s DNS handling code. It can be exploited to achieve remote code execution (RCE) in both internet-exposed and internal network setups.

Another remote code execution vulnerability, CVE-2017-14493, is located in the DHCP implementation and can be exploited in combination with an information leak flaw tracked as CVE-2017-14494.

The third RCE flaw, CVE-2017-14496, also affects Android devices where it can be exploited through tethering. However, the risk is reduced on Android because the dnsmasq process is sandboxed. Google shared patches for the flaw with Android device manufacturers in advance and also released a fix for it as part of the October Android security bulletin.

The company’s researchers released proof-of-concept exploit code for the RCE vulnerabilities they found, but also contributed a patch to dnsmasq that allows the service to run under seccomp-bpf, a sandboxing mechanism in the Linux kernel. Until their patch is accepted into the software, users can integrate it themselves into their deployments.

“We believe the adoption of this patch will increase the security of DNSMasq installations,” the Google researchers said in a blog post.

Attackers Exploiting a Zero-Day Vulnerability in 3 WordPress Plug-Ins

If you run a WordPress website and use the Appointments, Flickr Gallery or RegistrationMagic-Custom Registration Forms plug-ins, you should update them to their latest versions as soon as possible.

Researchers from WordPress security firm WordFence discovered attacks in the wild that are exploiting a previously unknown PHP object injection vulnerability to compromise websites. The flaw is rated 9.8 (Critical) on the CVSS scale.

“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges,” the WordFence researchers said in a blog post.

Researchers Find More Links Between CCleaner Hack and Chinese Cyberespionage Group

Security researchers have analyzed the second malicious payload that was delivered to 40 computers from 12 technology companies through infected installers for Windows system optimization tool CCleaner. The investigation revealed code similarities to malware used in the past by a Chinese cyberespionage group known as Axiom.

Researchers previously found a unique base64 encoding function in the malware attached to the compromised CCleaner installers that was identical to a function used in previous Axiom malware. They also found links between the command-and-control servers and infrastructure used by the group in the past.

The first-stage CCleaner malware, which infected more than 2.2 million computers, was used to deploy a secondary malicious program on a much more select number of computers belonging to technology and telecommunications firms. This led researchers to conclude that this was a sophisticated and highly targeted supply-chain attack.

Researchers from security firm Intezer, whose technology can find malware code similarities easily, have now located a different piece of code in the second-stage CCleaner backdoor that is identical to code found in older Axiom malware.

“Let me put this into better context for you: Out of all the billions and billions of pieces of code (both trusted and malicious) contained in the Intezer Code Genome Database, we found this code in only these APTs,” Jay Rosenberg, a senior security researcher at Intezer, said in a blog post.

“The complexity and quality of this particular attack has led our team to conclude that it was most likely state-sponsored,” the researcher said. “Considering this new evidence, the malware can be attributed to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout that our technology was able to uncover.”

Axiom is actually a larger umbrella for a number of hacking groups that are believed to be controlled by China’s intelligence apparatus. One of those groups, known as DeputyDog or APT17, has been operating for more than a decade and has targeted government entities, non-government organizations, law firms and companies from various industries including defense, information technology and mining. It also broke into Google’s corporate infrastructure in 2009 in an attack known as Operation Aurora.

Equifax Identifies Another 2.5 Million Data Breach Victims

U.S. credit monitoring bureau Equifax has revised the impact of the massive data breach it announced last month that exposed the personal information of nearly half of Americans.

Following the completion of the forensic analysis by cybersecurity firm Mandiant, Equifax said Monday that the number of impacted U.S. consumers is higher by 2.5 million than it initially estimated, bringing the total to 145.5 million victims. However, the number of affected Canadian consumers, which was initially estimated to be as high as 100,000, has now been revised to around 8,000.

Equifax will send written notices to all newly identified victims and the company plans to update its website feature that allows consumers to check if they’ve been impacted with the additional information by Oct. 8.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 154 posts and counting.See all posts by lucian-constantin

One thought on “Critical Dnsmasq Flaws Put Networking Devices, Linux Systems at Risk

Comments are closed.