Google warns of serious vulnerabilities in Dnsmasq proxy

Users of the popular open source Dnsmasq network infrastructure application are advised to update their installations, after Google discovered multiple security issues with the software.

Dnsmasq is a lightweight proxy that provides domain name system, dynamic host control protocol, router advertisements and remote boot services for small networks.

It is widely used in desktop Linux distributions, home routers and Internet of Things devices, as well as in Google's Android operating system.

Google's security team reviewed Dnsmasq and found one DNS-related remote code execution flaw, and two that could be triggered via DHCP.

The team also identified three denial of service vulnerabilities, and one information leak flaw that could be used to bypass system memory address space layout randomisation.

The CVE-2017-14491 DNS-based vulnerability in Dnsmasq versions before 2.76 allowed for unrestricted heap overflows, affecting both external and internal networks, Google said.

While Google's Android mobile operating system is affected by the vulnerability through local or directly tethered connections, Dnsmasq runs as a sandboxed or isolated service, reducing the risk of exploitation.

Google worked with Dnsmasq maintainer Simon Kelley to produce patches for the utility.

Version 2.78 of Dnsmasq takes care of the seven vulnerabilities. Patches were sent out to Google Android partners early last month, to address the vulnerabilties.