EulerOS 2.0 SP2 : dnsmasq (EulerOS-SA-2018-1285)

High Nessus Plugin ID 117729

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. (CVE-2017-14495)

- An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. (CVE-2017-14496)

As this issue only affects configurations using the add-mac, add-cpe-id, or add-subnet options, and these are not enabled by default in dnsmasq on EulerOS, this vulnerability may not actively affect the system at this time, but has the potential to do so if the configuration changes. Updating the version of these packages is the safest course of action.

Note that Tenable Network Security has extracted most of the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected dnsmasq packages.

See Also

http://www.nessus.org/u?3549a782

Plugin Details

Severity: High

ID: 117729

File Name: EulerOS_SA-2018-1285.nasl

Version: 1.4

Type: local

Published: 2018/09/27

Updated: 2019/04/08

Dependencies: 12634

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:dnsmasq, p-cpe:/a:huawei:euleros:dnsmasq-utils, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp, Settings/ParanoidReport

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/09/05

Vulnerability Publication Date: 2017/10/02

Reference Information

CVE: CVE-2017-14495, CVE-2017-14496