SB-6 2017-10-03 dnsmasq vulnerability

Service bulletin: SB-6 Date: October 3, 2017

This week there was a vulnerability discovered in dnsmasq, which you can read about in more detail at:

https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

The main concern with this exploit is that a DNS request could cause either a denial of service, information leakage, or remote control of the bonder.

There are two different scenarios which could cause a bonder to be affected by this, which each have a different fix.

Note that only bonders are affected by this, and only bonders that fit into the following scenarios are at risk.

Scenario 1

The first scenario is a bonder configured to serve DHCP from a connected IP through the web admin. The affected versions of bonding are:

• 2016.2-53 or lower

• 6.0.62 or lower

• 6.1.75 or lower

Earlier versions of bonding did not have the DHCP server as an option and are not affected in this way.

To fix a bond running any of the above patch levels, the following commands can be run on the bonder:

apt-get update
apt-get install bonding
service bonding restart

Scenario 2

The second scenario is a bonder running a DHCP server as we used to describe in our documentation before the DHCP server was integrated. Debian provides a patch to dnsmasq that resolves this problem as long as the bonder is running Jessie. If the bonder is running Wheezy or Squeeze, there is no update available. Debian 8 (Jessie) bonders running dnsmasq with a version less than 2.72-3+deb8u2 are affected by this.

You can also view the status of if a Wheezy patch has been made available at:

https://security-tracker.debian.org/tracker/source-package/dnsmasq

To fix a bond running in the above scenario the following commands can be run:

apt-get update
apt-get install dnsmasq
service bonding restart

References

• https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

• https://security-tracker.debian.org/tracker/source-package/dnsmasq