安全公告编号:CNTA-2017-0068
近期,国家信息安全漏洞共享平台(CNVD)收录了DNSmasq多个安全漏洞(CNVD-2017-29278、CNVD-2017-29277、CNVD-2017-29276、CNVD-2017-29275、CNVD-2017-29274、CNVD-2017-29273、CNVD-2017-29272)。远程攻击者可在目标系统上执行任意代码、造成服务崩溃或窃取内存敏感信息,影响范围涉及服务器、终端(包括移动终端)操作系统发行版本及相关组件,且当前利用方法已经公开,有可能诱发大规模攻击。
一、漏洞情况分析
DNSmasq是一款广泛使用的开源软件,提供DNS、DHCP、路由器广告和网络引导服务。在DNS服务中,DNSmasq可以通过缓存DNS请求来提高对访问过的网址的连接速度;在DHCP 服务,DNSmasq可以用于为局域网电脑分配内网ip地址和提供路由。它还被广泛用于智能手机和便携式热点,并支持虚拟化框架中的虚拟网络。支持的平台包括Linux(与glibc和uclibc)、Android、* BSD和Mac OSx。Dnsmasq包含在大多数Linux发行版和FreeBSD、OpenBSD和NetBSD的端口系统中。此外,Dnsmasq对IPv6网络也提供了完整支持。
近日谷歌安全研究人员发现Dnsmasq存在7个高危漏洞,相关漏洞详情如下:
上述漏洞可以通过DNS和DHCP协议远程触发,在特定情况下,攻击者通过构造特定数据包请求,导致远程代码执行、信息泄露和拒绝服务。CNVD对上述漏洞的综合评级均为“高危”。
二、漏洞影响范围
漏洞影响范围十分广泛,涉及Linux以及Android操作系统发行版本以及多个自身组件版本,也波及到一些网络设备或终端设备固件。CNVD用户组成员单位华为公司对其生产的产品情况进行了风险自查,在已排查的有可能采用相关组件的HG8021H、HG8045A、HG8045A2、HG8245A、HG8247H多款路由器中,确认未受漏洞影响。
三、漏洞处置建议
DNSmasq 2.78版本已修复了这些漏洞,用户可通过链接:http://www.thekelleys.org.uk/dnsmasq/自行更新。如未能更新,可以采用以下临时解决方案:
必要情况下,请关闭影响DNSmasq安全的配置选项;使用白名单机制,这样可以使DNSmasq服务限制访问权限;使用可信的DNS服务。
参考链接:
http://www.thekelleys.org.uk/dnsmasq/doc.html
http://www.securityfocus.com/bid/101085
http://securitytracker.com/id/1039474
http://www.cnvd.org.cn/flaw/show/CNVD-2017-29278
http://www.cnvd.org.cn/flaw/show/CNVD-2017-29277
http://www.cnvd.org.cn/flaw/show/CNVD-2017-29276
http://www.cnvd.org.cn/flaw/show/CNVD-2017-29275
http://www.cnvd.org.cn/flaw/show/CNVD-2017-29274
http://www.cnvd.org.cn/flaw/show/CNVD-2017-29273
http://www.cnvd.org.cn/flaw/show/CNVD-2017-29272
http://www.huawei.com/cn/psirt/security-notices/2017/huawei-sn-20171006-01-dnsmasq-cn (华为自查公告)
http://blog.trendmicro.com/trendlabs-security-intelligence/dnsmasq-reality-check-remediation-practices/?from=singlemessage&isappinstalled=0 (趋势科技提供的临时解决方案)
附:受影响的操作系统发行版本以及相关组件列表
Ubuntu Ubuntu Linux 17.04
Ubuntu Ubuntu Linux 16.04 LTS
Ubuntu Ubuntu Linux 14.04 LTS
Thekelleys Dnsmasq 1.2.2
Thekelleys Dnsmasq 2.77
Thekelleys Dnsmasq 2.75
Thekelleys Dnsmasq 2.72
Thekelleys Dnsmasq 2.71
Thekelleys Dnsmasq 2.70
Thekelleys Dnsmasq 2.7
Thekelleys Dnsmasq 2.65
Thekelleys Dnsmasq 2.64
Thekelleys Dnsmasq 2.63
Thekelleys Dnsmasq 2.62
Thekelleys Dnsmasq 2.61
Thekelleys Dnsmasq 2.60
Thekelleys Dnsmasq 2.6
Thekelleys Dnsmasq 2.59
Thekelleys Dnsmasq 2.58
Thekelleys Dnsmasq 2.57
Thekelleys Dnsmasq 2.56
Thekelleys Dnsmasq 2.55
Thekelleys Dnsmasq 2.54
Thekelleys Dnsmasq 2.53
Thekelleys Dnsmasq 2.52
Thekelleys Dnsmasq 2.51
Thekelleys Dnsmasq 2.50
Thekelleys Dnsmasq 2.49
Thekelleys Dnsmasq 2.48
Thekelleys Dnsmasq 2.47
Thekelleys Dnsmasq 2.46
Thekelleys Dnsmasq 2.45
Thekelleys Dnsmasq 2.44
Thekelleys Dnsmasq 2.43
Thekelleys Dnsmasq 2.42
Thekelleys Dnsmasq 2.41
Thekelleys Dnsmasq 2.40
Thekelleys Dnsmasq 2.4
Thekelleys Dnsmasq 2.38
Thekelleys Dnsmasq 2.37
Thekelleys Dnsmasq 2.36
Thekelleys Dnsmasq 2.35
Thekelleys Dnsmasq 2.34
Thekelleys Dnsmasq 2.33
Thekelleys Dnsmasq 2.30
Thekelleys Dnsmasq 2.29
Thekelleys Dnsmasq 2.28
Thekelleys Dnsmasq 2.27
Thekelleys Dnsmasq 2.26
Thekelleys Dnsmasq 2.25
Thekelleys Dnsmasq 2.24
Thekelleys Dnsmasq 2.23
Thekelleys Dnsmasq 2.22
Thekelleys Dnsmasq 2.21
Thekelleys Dnsmasq 2.20
Thekelleys Dnsmasq 2.2
Thekelleys Dnsmasq 2.19
Thekelleys Dnsmasq 2.18
Thekelleys Dnsmasq 2.17
Thekelleys Dnsmasq 2.16
Thekelleys Dnsmasq 2.15
Thekelleys Dnsmasq 2.14
Thekelleys Dnsmasq 2.13
Thekelleys Dnsmasq 2.12
Thekelleys Dnsmasq 2.11
Thekelleys Dnsmasq 2.10
Thekelleys Dnsmasq 1.9
Thekelleys Dnsmasq 1.8
Thekelleys Dnsmasq 1.6
Thekelleys Dnsmasq 1.5
Thekelleys Dnsmasq 1.4
Thekelleys Dnsmasq 1.3
Thekelleys Dnsmasq 1.18
Thekelleys Dnsmasq 1.17
Thekelleys Dnsmasq 1.16
Thekelleys Dnsmasq 1.15
Thekelleys Dnsmasq 1.14
Thekelleys Dnsmasq 1.13
Thekelleys Dnsmasq 1.12
Thekelleys Dnsmasq 1.11
Thekelleys Dnsmasq 1.10
Thekelleys Dnsmasq 1.0
Thekelleys Dnsmasq 0.996
Thekelleys Dnsmasq 0.992
Thekelleys Dnsmasq 0.98
Thekelleys Dnsmasq 0.96
Thekelleys Dnsmasq 0.95
Thekelleys Dnsmasq 0.7
Thekelleys Dnsmasq 0.6
Thekelleys Dnsmasq 0.5
Thekelleys Dnsmasq 0.4
Slackware Slackware Linux 14.2
Slackware Slackware Linux 14.1
Slackware Slackware Linux 14.0
Slackware Slackware Linux 13.37
Slackware Slackware Linux 13.1
Slackware Slackware Linux 13.0
Redhat Enterprise Linux Workstation Optional 7
Redhat Enterprise Linux Workstation Optional 6
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server TUS 6.6
Redhat Enterprise Linux Server TUS 6.5
Redhat Enterprise Linux Server Optional EUS 7.3
Redhat Enterprise Linux Server Optional EUS 7.2
Redhat Enterprise Linux Server Optional EUS 6.5
Redhat Enterprise Linux Server Optional AUS 6.6
Redhat Enterprise Linux Server Optional AUS 6.5
Redhat Enterprise Linux Server Optional AUS 6.4
Redhat Enterprise Linux Server Optional 7
Redhat Enterprise Linux Server Optional 6
Redhat Enterprise Linux Server for ARM 7
Redhat Enterprise Linux Server EUS 7.3
Redhat Enterprise Linux Server EUS 7.2
Redhat Enterprise Linux Server AUS 6.6
Redhat Enterprise Linux Server AUS 6.5
Redhat Enterprise Linux Server AUS 6.4
Redhat Enterprise Linux Server AUS 6.2
Redhat Enterprise Linux Server - TUS 7.4
Redhat Enterprise Linux Server - TUS 7.3
Redhat Enterprise Linux Server - TUS 7.2
Redhat Enterprise Linux Server - Extended Update Support 7.4
Redhat Enterprise Linux Server - Extended Update Support 7.2
Redhat Enterprise Linux Server - Extended Update Suppor 7.3
Redhat Enterprise Linux Server - AUS 7.4
Redhat Enterprise Linux Server - AUS 7.3
Redhat Enterprise Linux Server - AUS 7.2
Redhat Enterprise Linux Server - 4 Year Extended Update Support 7.4
Redhat Enterprise Linux Server - 4 Year Extended Update Support 7.2
Redhat Enterprise Linux Server (for IBM Power LE) - 4 Year Extended Upd 7.3
Redhat Enterprise Linux Server (for IBM Power LE) - 4 Year Extended Update Support 7.4
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux Server 5
Redhat Enterprise Linux Long Life 5.9 server
Redhat Enterprise Linux HPC Node Optional 6
Redhat Enterprise Linux HPC Node 6
Redhat Enterprise Linux for Scientific Computing 7
Redhat Enterprise Linux for Power, little endian - Extended Update Supp 7.4
Redhat Enterprise Linux for Power, little endian 7
Redhat Enterprise Linux for Power, big endian - Extended Update Support 7.4
Redhat Enterprise Linux for Power, big endian 7
Redhat Enterprise Linux for Power little endian - Extended Update Suppo 7.3
Redhat Enterprise Linux for Power little endian - Extended Update Suppo 7.2
Redhat Enterprise Linux for Power big endian - Extended Update Support 7.3
Redhat Enterprise Linux for Power big endian - Extended Update Support 7.2
Redhat Enterprise Linux for IBM z Systems - Extended Update Support 7.4
Redhat Enterprise Linux for IBM z Systems - Extended Update Support 7.3
Redhat Enterprise Linux for IBM z Systems - Extended Update Support 7.2
Redhat Enterprise Linux for IBM z Systems 7
Redhat Enterprise Linux EUS Compute Node 7.4
Redhat Enterprise Linux EUS Compute Node 7.3
Redhat Enterprise Linux EUS Compute Node 7.2
Redhat Enterprise Linux Desktop Optional 6
Redhat Enterprise Linux Desktop 7
Redhat Enterprise Linux Desktop 6
Redhat Enterprise Linux ComputeNode Optional EUS 7.3
Redhat Enterprise Linux ComputeNode Optional EUS 7.2
Redhat Enterprise Linux ComputeNode Optional 7
Redhat Enterprise Linux ComputeNode EUS 7.3
Redhat Enterprise Linux ComputeNode EUS 7.2
Redhat Enterprise Linux ComputeNode 7
Oracle Linux 7
Oracle Linux 6
openSUSE Leap 42.3
openSUSE Leap 42.2
Kubernetes Kubernetes 1.7.6
Kubernetes Kubernetes 1.7
Kubernetes Kubernetes 1.6.10
Kubernetes Kubernetes 1.6
Kubernetes Kubernetes 1.5.7
Kubernetes Kubernetes 1.5
Kubernetes Kubernetes 1.2
Google Android 7.1.1
Google Android 6.0.1
Google Android 5.1.1
Google Android 5.0.2
Google Android 4.4.4
Google Android 8.0
Google Android 7.1.2
Google Android 7.0
Google Android 6.0
Fedoraproject Fedora 27
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 ia-30
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
CentOS CentOS 7
CentOS CentOS 6