Page MenuHomeVyOS Platform

dnsmasq in 1.1.x is outdated and vulnerable to many CVEs
Closed, ResolvedPublicBUG


The version of dnsmasq in 1.1.7 is very old (2.55, from 2010) and vulnerable to a large number of CVEs, including the following (released yesterday by Google Project Zero):

And the following (which are also in T403):

There are also a lot of vulnerabilities in the non-DNS parts of dnsmasq, but AFAICT VyOS uses ISC DHCPD for DHCP and never enables the dnsmasq DHCP server. If I'm wrong about that and there's some case where dnsmasq DHCPD will be enabled, let me know and I can add it to this ticket.

There are already reports of active abuse on the Internet, and it would be nice to get an updated dnsmasq package into 1.1.8 (and 1.1.8 out the door soon). If that doesn't happen, maybe it's time to publish an advisory against using DNS services in VyOS (which would be personally inconvenient to me as a user because I don't really want to have to stick another server running another Linux distro with a newer-than-7-years-old dnsmasq in it everywhere I have VyOS).

Otherwise, everybody who has DNS serving enabled on some branch office VyOS device is going to be able to be shelled over port 53.

This ticket was created on the recommendation of @syncer from Q111.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close

Event Timeline

syncer edited projects, added VyOS 1.2 Crux, VyOS 1.1.x (1.1.8); removed VyOS 1.1.x.
syncer added subscribers: UnicronNL, dmbaturin.

@UnicronNL @dmbaturin
can we just rebuild fresh from wheeze?