Nmedia - Fotolia
Researchers found several major vulnerabilities in the Dnsmasq server software, which is bundled with Android. How can these Dnsmasq vulnerabilities be exploited by threat actors, and what do they mean for users of the open source software?
Dnsmasq, a domain name system software package that also includes a feature of Domain Host Configuration Protocol, enables multiple remote execution exploits against systems running the software. Dnsmasq server software is commonly used in Linux-based operating systems, macOS, Android variants, home routers and internet of things (IoT) devices.
The Dnsmasq vulnerabilities should be patched, as there are several risks to having a vulnerable version of the software running on a system.
A system running an unpatched version of Dnsmasq may be vulnerable to inbound traffic sent to the service. This means that an attacker could create a domain purposefully built to take advantage of this attack.
For example, if an attacker created a domain for this purpose, they'd have to craft the response back to the device running Dnsmasq in a way that would exploit the device. This would most likely include having some type of buffer overflow that would give the attacker the ability to run code on the victim's device, and it could lead to privilege escalation and a device being taken over.
There are security features in place in certain operating systems that might make this more difficult to abuse, but the exploit is open and should be closed if at all possible. Attacks would have to spread this malicious link for it to be accessed by a system, and it would most likely be distributed by phishing emails, or even poisoned ad servers.
Fortunately, patches have been released to fix the three Dnsmasq vulnerabilities. Red Hat and other versions of Linux have all added an update to fix this issue. Apple has also included a fix for the vulnerabilities, and Android received an operating system patch, as well.
Android is always a concern when it comes to patching due to multiple manufacturers having different versions of the OS. The major concerns are IoT devices or home routers that are using this technology and aren't normally updated. It's possible that these systems, especially the IoT devices, don't have a patch or are lagging on the installation of the update. It's also concerning because, many times, these devices might need manual intervention when being patched.
As with anything, once a vulnerability is identified, a process should be put in place to remediate or control the situation. If you're running these systems in the enterprise, then attempt to have them patched as part of your patch management lifecycle and vulnerability management process. If you have IoT devices or other systems that can't be patched or that don't have an update available, then it would be wise to have them isolated from the network or properly put in segmented zones to protect other systems from infection.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)