Google warns of serious vulnerabilities in Dnsmasq proxy

By

Patches developed.

Users of the popular open source Dnsmasq network infrastructure application are advised to update their installations, after Google discovered multiple security issues with the software.

Google warns of serious vulnerabilities in Dnsmasq proxy

Dnsmasq is a lightweight proxy that provides domain name system, dynamic host control protocol, router advertisements and remote boot services for small networks.

It is widely used in desktop Linux distributions, home routers and Internet of Things devices, as well as in Google's Android operating system.

Google's security team reviewed Dnsmasq and found one DNS-related remote code execution flaw, and two that could be triggered via DHCP.

The team also identified three denial of service vulnerabilities, and one information leak flaw that could be used to bypass system memory address space layout randomisation.

The CVE-2017-14491 DNS-based vulnerability in Dnsmasq versions before 2.76 allowed for unrestricted heap overflows, affecting both external and internal networks, Google said.

While Google's Android mobile operating system is affected by the vulnerability through local or directly tethered connections, Dnsmasq runs as a sandboxed or isolated service, reducing the risk of exploitation.

Google worked with Dnsmasq maintainer Simon Kelley to produce patches for the utility.

Version 2.78 of Dnsmasq takes care of the seven vulnerabilities. Patches were sent out to Google Android partners early last month, to address the vulnerabilties.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"

SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy

Log In

  |  Forgot your password?