TL;DR
CERT announced six critical CVEs for dnsmasq, affecting nearly all recent versions. Patches are available, and vendors are expected to release updates soon. The vulnerabilities pose significant security risks.
CERT has released disclosures for six critical security vulnerabilities (CVEs) affecting dnsmasq, a widely used network infrastructure tool. The vulnerabilities are long-standing and affect most recent non-ancient versions, prompting urgent patching efforts. This development is significant for network administrators and security professionals relying on dnsmasq for DHCP and DNS services.
The CERT Coordination Center announced today the release of six CVEs related to dnsmasq, a popular open-source network service used in many Linux distributions, embedded devices, and enterprise environments. These vulnerabilities are described as serious and have existed for some time, with patches now being made available to mitigate the risks.
Simon Kelley, a maintainer of dnsmasq, confirmed that the vulnerabilities are present in all recent versions except for very old, unsupported releases. The CVEs have been pre-disclosed to vendors, who are expected to release patched versions shortly. Kelley also announced the release of dnsmasq version 2.92rel2, which includes fixes for these issues, and indicated that the development branch is being updated with comprehensive patches.
Details of the vulnerabilities and patches are published on the project’s website at https://thekelleys.org.uk/dnsmasq/CVE/. Kelley noted that some patches are backports of earlier fixes, while others involve more extensive rewrites aimed at addressing root causes. The vulnerabilities are believed to have been exploited or at least known to malicious actors, emphasizing the urgency of applying updates.
Why It Matters
This development matters because dnsmasq is a core component in many network environments, including home routers, enterprise networks, and IoT devices. Exploitation of these vulnerabilities could allow attackers to compromise network services, intercept traffic, or execute arbitrary code, leading to potential data breaches or service disruptions. The fact that these bugs are long-standing and affect most recent versions underscores the importance of prompt patching.
Security Patch, 2 Pcs Reflective Security Hook and Loop Patch for Vest Printed Letters Embroidery Patches for Officer Guard Custom Uniforms Vest, Jacket, Carrier, Bag, Hat (Black, 1 Small and 1 Large)
【Package Content】The package contains two security patches for vest, one small (5.5 x 2.5 inches) and one large…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
dnsmasq has been a widely used tool for DNS and DHCP services for years, with ongoing maintenance and security updates. Recently, the security community has seen an increase in AI-generated bug reports, which has accelerated the identification and disclosure of vulnerabilities. Kelley’s announcement follows a series of security fixes in recent weeks, highlighting a proactive approach towards improving dnsmasq’s security posture.
Prior to this, there have been sporadic security issues in dnsmasq, but today’s disclosures mark a significant update, as multiple CVEs target core functionalities. The vulnerabilities are described as long-standing, indicating they have persisted through multiple versions without detection or exploitation until now.
“The vulnerabilities are long-standing and affect pretty much all non-ancient versions of dnsmasq. We’ve released patches in 2.92rel2 and are working on the upcoming 2.93 release.”
— Simon Kelley
“CERT has disclosed six CVEs related to dnsmasq, which pose serious security risks. Users should apply updates promptly.”
— CERT
Network Vulnerability Assessment: Identify security loopholes in your network's infrastructure
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet clear whether any of these vulnerabilities have been actively exploited in the wild. Details about the specific nature of each CVE and their potential impact are still emerging, and the timeline for vendor patch releases may vary across different distributions and devices.
TP-Link Dual-Band AX3000 Wi-Fi 6 Router Archer AX55 | Wireless Gigabit Internet Router for Home | EasyMesh Compatible | VPN Clients & Server | HomeShield, OFDMA, MU-MIMO | USB 3.0 | Secure by Design
Next-Gen Gigabit Wi-Fi 6 Speeds: 2402 Mbps on 5 GHz and 574 Mbps on 2.4 GHz bands ensure…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Vendors are expected to release official patches shortly, and administrators should prioritize updating dnsmasq installations. Kelley encourages testing of the upcoming 2.93 release, which aims to include further security fixes. Continued monitoring for exploit activity and further disclosures are anticipated.
Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What are these six CVEs about?
The CVEs relate to serious security vulnerabilities in dnsmasq, affecting core functions like DNS and DHCP handling. Specific details are available on the project’s website.
Are current dnsmasq versions vulnerable?
Most recent non-ancient versions are affected, including the current stable release 2.92, which has been patched in version 2.92rel2. Users should update as soon as patches are available.
How urgent is it to patch these vulnerabilities?
Given the severity and the potential for exploitation, applying patches promptly is strongly recommended. Vendors are expected to release updates shortly.
Will these vulnerabilities be exploited in attacks?
It is not yet confirmed whether active exploits exist. However, the vulnerabilities are serious enough that immediate patching is advised to mitigate risks.
What should administrators do now?
Monitor vendor updates, test new releases like dnsmasq 2.93 when available, and update systems promptly to protect networks from potential threats.
