CVE-2017-14491 — CRITICAL (9.8)

Q: What is CVE-2017-14491?

CVE-2017-14491 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

Q: How severe is CVE-2017-14491?

CVE-2017-14491 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-14491?

Check the references section above for vendor advisories and patch information. Affected products include: Thekelleys Dnsmasq, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation, Canonical Ubuntu Linux.

Vulnerability Description

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Thekelleys	Dnsmasq	<= 2.77
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Workstation	6.0
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	7.0
Opensuse	Leap	42.2
Suse	Linux Enterprise Debuginfo	11
Suse	Linux Enterprise Point Of Sale	11
Suse	Linux Enterprise Server	11
Nvidia	Linux For Tegra	< r21.6
Nvidia	Jetson Tk1	-
Nvidia	Jetson Tx1	-
Nvidia	Geforce Experience	>= 3.0, < 3.10.0.55
Microsoft	Windows	-
Huawei	Honor V9 Play Firmware	< jimmy-al00ac00b135
Huawei	Honor V9 Play	-
Arista	Eos	<= 4.15
Siemens	Ruggedcom Rm1224 Firmware	< 5.0
Siemens	Ruggedcom Rm1224	-

Related Weaknesses (CWE)

CWE-787

References

http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00003.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00004.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.htmlMailing ListThird Party Advisory
http://nvidia.custhelp.com/app/answers/detail/a_id/4560Third Party Advisory
http://nvidia.custhelp.com/app/answers/detail/a_id/4561Third Party Advisory
http://packetstormsecurity.com/files/144480/Dnsmasq-2-Byte-Heap-Based-Overflow.hExploitThird Party AdvisoryVDB Entry
http://thekelleys.org.uk/dnsmasq/CHANGELOGRelease NotesVendor Advisory
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=0549c73b7ea6b22a3c
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txtThird Party Advisory
http://www.debian.org/security/2017/dsa-3989Third Party Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171103-01-dnsmasqThird Party Advisory
http://www.securityfocus.com/bid/101085Broken Link
http://www.securityfocus.com/bid/101977Broken Link
http://www.securitytracker.com/id/1039474Broken Link

FAQ

What is CVE-2017-14491?

CVE-2017-14491 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

How severe is CVE-2017-14491?

CVE-2017-14491 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-14491?

Check the references section above for vendor advisories and patch information. Affected products include: Thekelleys Dnsmasq, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation, Canonical Ubuntu Linux.