dnsmasq in 1.1.x is outdated and vulnerable to many CVEs
Closed, ResolvedPublicBUG


The version of dnsmasq in 1.1.7 is very old (2.55, from 2010) and vulnerable to a large number of CVEs, including the following (released yesterday by Google Project Zero):

And the following (which are also in T403):

There are also a lot of vulnerabilities in the non-DNS parts of dnsmasq, but AFAICT VyOS uses ISC DHCPD for DHCP and never enables the dnsmasq DHCP server. If I'm wrong about that and there's some case where dnsmasq DHCPD will be enabled, let me know and I can add it to this ticket.

There are already reports of active abuse on the Internet, and it would be nice to get an updated dnsmasq package into 1.1.8 (and 1.1.8 out the door soon). If that doesn't happen, maybe it's time to publish an advisory against using DNS services in VyOS (which would be personally inconvenient to me as a user because I don't really want to have to stick another server running another Linux distro with a newer-than-7-years-old dnsmasq in it everywhere I have VyOS).

Otherwise, everybody who has DNS serving enabled on some branch office VyOS device is going to be able to be shelled over port 53.

This ticket was created on the recommendation of @syncer from Q111.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
syncer assigned this task to UnicronNL.
syncer added subscribers: UnicronNL, dmbaturin.

@UnicronNL @dmbaturin
can we just rebuild fresh from wheeze?

elsev7 added a subscriber: elsev7.Oct 5 2017, 11:49 AM

added jessie one. https://github.com/vyos/dnsmasq
need to test in 1.1.8 rc1

elsev7 removed a subscriber: elsev7.Oct 6 2017, 8:03 AM
dmbaturin closed this task as Resolved.Nov 13 2017, 8:56 AM