Kubernetes / Security / Open Source

Security Alert: Patch Dnsmasq on Your Linux Servers, Kubernetes and Networking Devices

9 Oct 2017 1:26pm, by

Security researchers from Google have recently found serious vulnerabilities in dnsmasq, a software package used in Linux, BSD and macOS to set up Domain Name Server (DNS) and Dynamic Host Configuration Protocol (DHCP) services for networks.

Dnsmasq is also used in Kubernetes, which included a patched DNS pod in versions 1.5.8, 1.6.11, 1.7.7 and 1.8.0. Kubernetes 1.8 was released on Sept. 28 and also has some other security enhancements. With its small footprint, dnsmasq is also widely used in routers and other networking equipment, as well as is firewalls and mobile device hotspots.

The Google researchers found three remote code execution flaws, three denial-of-service issues and an information leak bug that could help attackers bypass the Address Space Layout Randomization (ASLR) anti-exploitation mechanism. They worked with dnsmasq maintainer Simon Kelley and the flaws were fixed in dnsmasq version 2.78.

If dnsmasq is configured to provide external DNS or DHCP services, these vulnerabilities can potentially be exploited from the internet.

Linux servers administrators should make sure they obtain the updated dnsmasq packages from distribution maintainers. However, the software is also present in a variety of Linux-based embedded networking devices, including routers, and those devices will require updates from their respective vendors.

One of the remote code execution vulnerabilities, tracked as CVE-2017-14491, can be exploited over DNS, and the other two, CVE-2017-14492 and CVE-2017-14493, can be exploited over DHCP. If dnsmasq is configured to provide external DNS or DHCP services, these vulnerabilities can potentially be exploited from the internet.

Researchers from security firm Trend Micro identified around 1 million devices that are running a vulnerable version of dnsmasq and expose a DNS service (port 53) on the public internet.

In addition to working with Kelley to fix the flaws, the Google researchers also contributed a patch to the project that aims to harden dnsmasq against exploits in the future. The patch still needs to be reviewed and integrated into the software, but its goal is to run dnsmasq under the Linux kernel’s seccomp-bpf sandboxing mechanism.Sandboxing makes it harder for what attackers could do if they exploit a remote code execution flaw in the software in the future.

Sandboxing makes it significantly harder for attackers to exploit vulnerabilities in order to achieve arbitrary code execution with kernel privileges because the targeted process is isolated by an additional layer that would require a separate vulnerability and exploit to defeat.

Until Google’s patch is accepted and integrated into dnsmasq, users can download and apply it manually to their installations. Of course, thorough testing should be performed before deploying the patch on production systems.

Users are advised to upgrade their systems as soon as possible because proof-of-concept exploits for the flaws are available and hackers could use them to develop malicious attacks.

As far as Kubernetes version 1.8 goes, the role-based access control (RBAC) feature has reached stable status and the new release also comes with beta support for filtering outbound traffic through network policies. In addition, the Kubelet node agent now has beta support for Transport Layer Security (TLS) certificate rotation, which is expected to simplify secure cluster operation.

Google is a sponsor of The New Stack.

Feature image via Pixabay.