Delivered Tuesdays and Thursdays. Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children. Watch Now. More about cybersecurity 10 ways ransomware attackers pressure you to pay the ransom Cybersecurity, the pandemic and the holiday shopping season: A perfect storm Why Windows 11's security is such a big deal End user data backup policy TechRepublic Premium.
Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays Sign up today.
Editor's Picks. It's time to dump Chrome as your default browser on Android. Women and middle managers will lead the Great Resignation into How Windows 11 makes updates so much smaller. Linux finally has an impressive cloud-like OS in Ubuntu Web.
Best Raspberry Pi accessories and alternatives for Comment and share: How to protect your systems from newly-discovered Dnsmasq vulnerabilities. Show Comments. Hide Comments. The same holds for Alpine-based systems. This is not the case for the three distributions we chose. On October 4, the query returned , hosts, of which 4, directly expose a DNS service port Without actively probing these hosts we can't be sure that they're running Dnsmasq, but there is evidence that supports this hypothesis.
These are all services that typically appear in a SOHO router. Table 1. Breakdown of the , devices potentially running Dnsmasq according to Censys scan data.
Figure 2. Heatmap of the 1,, devices potentially running Dnsmasq with port 53 open according to Shodan data as of October 9. A vanilla Dnsmasq service will always report its version in the network banner, which is captured by Shodan.
This allows us to obtain the breakdown of the versions. On a sample of , hosts as much as Shodan let us download , we found Only three of them had a patched Dnsmasq version 2. Assuming that these devices are running the vanilla versions of the respective distributions, they're all running an outdated—and thus potentially vulnerable—version of Dnsmasq.
Under which conditions the vulnerabilities are exploitable? Does it mean all of the devices we found were remotely exploitable? Let's look at the requirements to understand their impact better.
This table is meant to provide an operational checklist to complement the table provided by Google, which focuses on the vector and the impact of said vulnerabilities. Table 3. Requirements of different vulnerabilities for exploitation. Attack scenario and requirements of CVE exploitation. The above diagram shows how CVE can be exploited. The attacker must be able to receive forwarded DNS queries from the victim device or control the DNS responses of the queried domain.
The responses will contain the exploit. The devices running Dnsmasq could either directly or indirectly participate in the attack. For example, the laptop or the mobile device could be running Dnsmasq configured to query the attacker-controlled upstream server. It could also query the DNS server running on the router, which, in turn, will query the malicious upstream server.
To this end, the attacker must exploit other vulnerabilities in the router , be able to manipulate the network routes to receive the DNS queries or use social engineering by convincing the victim to click on a link to a URL hosted under a domain that the attacker controls as a last-resort. With a non-vulnerable Dnsmasq deployment, the damage that can be done by an attacker is limited to manipulating the result of a DNS request. Instead, thanks to these recent vulnerabilities, an attacker that can receive forwarded DNS requests can execute arbitrary code on the target device.
To summarize, despite beginning with a heap overflow—a well-known vulnerability class—the conditions for successfully exploiting CVE are not trivial. Even in the vulnerable versions of Dnsmasq, the memory overflow is limited to 2 bytes.
Before Dnsmasq 2. Figure 4. Attack scenario for CVE to An attacker must be able to send network packets to the vulnerable devices, which must be configured with the options reported in the table above.
The above diagram shows the attack scenarios for CVE through However, the requirements for attacking these vulnerabilities differ slightly. To exploit these vulnerabilities, the attacker must be able to send network packets to the DHCP subsystem of the target host running Dnsmasq.
In particular, triggering these vulnerabilities requires that the DHCPv6 service is enabled, which means that the host must be serving IPv6 configuration packets. In Dnsmasq, this translates to having the --dhcp-range option listing an IPv6 address range e. For both CVE and , Dnsmasq is exploitable only if run with any of the following options, which are all used to append additional fields to the outgoing, forwarded DNS queries.
How do I check if my devices are affected? Quoting Google Security's blog post:. What about other settings? Although going through the requirements mentioned in the previous paragraphs should suffice as a first assessment, the flowchart at the beginning of this post can serve as a slightly more "operational" workflow for end users. How do I secure my devices? The above flowchart illustrates some of the suggested remediation actions that you can take. Let's quickly go through them. Regardless of whether you can apply any of the above-suggested fixes, it's recommended that you follow generic network-security best practices, especially if your only option is to run a vulnerable version of Dnsmasq.
To reduce the chances of successful exploitation, we recommend the following:. Alerts No new notifications at this time. Free trials. For Home. Products Products Hybrid Cloud Security. Workload Security. Container Security. File Storage Security. Application Security.
Network Security. Open Source Security. Cisco Employee. Post Reply. Latest Contents. Announcing Cisco Wireless Catalyst - Created by Sudhagar Singh on PM. We are excited to announce the Second refresh of After previous Created by apsood on PM. Wireless Config Analyzer Express v 0. Created by Javier Contreras on AM. This version now introduces experimental new feature, "Upgrade Advisor, targeted to one of common case generators: what are the supported versions and how to upgrade my current controllers and APs It supports both AireOS and IOS-XE, covering since Announcing Cisco Wireless 8.
Created by Sudhagar Singh on AM. We are excited to announce the third refresh of 8. While the CCO release of 8.
0コメント