CVE-2017-14491

critical-risk

Published 2017-10-04

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

Do I need to act?

57.8% chance of exploitation in next 30 days

EPSS score — higher than 42% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

42941

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Dnsmasq

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Ubuntu Linux

Debian Linux

Leap

Linux Enterprise Debuginfo

Linux Enterprise Point Of Sale

Linux Enterprise Server

Linux For Tegra

Affected Vendors

Nvidia Opensuse Debian Arista Canonical Arubanetworks Redhat Siemens Huawei Thekelleys Suse Synology

References (80)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00003.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00004.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00005.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html

Third Party Advisory http://nvidia.custhelp.com/app/answers/detail/a_id/4560

Third Party Advisory http://nvidia.custhelp.com/app/answers/detail/a_id/4561

Exploit http://packetstormsecurity.com/files/144480/Dnsmasq-2-Byte-Heap-Based-Overflow.h...

Release Notes http://thekelleys.org.uk/dnsmasq/CHANGELOG

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=0549c73b7ea6b22a3c...

Third Party Advisory http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txt

Third Party Advisory http://www.debian.org/security/2017/dsa-3989

Third Party Advisory http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171103-01-dnsmasq...

Broken Link http://www.securityfocus.com/bid/101085

Broken Link http://www.securityfocus.com/bid/101977

Broken Link http://www.securitytracker.com/id/1039474

Third Party Advisory http://www.ubuntu.com/usn/USN-3430-1

Third Party Advisory http://www.ubuntu.com/usn/USN-3430-2

Third Party Advisory http://www.ubuntu.com/usn/USN-3430-3

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2836

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2837

and 60 more references

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 25/34 · High

Exposure 24/34 · High