5 - GLSA-201406-24

Executive Summary

Summary
Title	Dnsmasq: Denial of Service

Informations
Name	GLSA-201406-24	First vendor Publication	2014-06-25
Vendor	Gentoo	Last vendor Modification	2014-06-25
Severity (Vendor)	Normal	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score	5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A vulnerability in Dnsmasq can lead to a Denial of Service condition.

Background

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server.

Description

When used with certain libvirt configurations Dnsmasq replies to queries from prohibited interfaces.

Impact

A remote attackers can cause a Denial of Service via spoofed TCP based DNS queries.

Workaround

There is no known workaround at this time.

Resolution

All Dnsmasq users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.66"

References

[ 1 ] CVE-2012-3411 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3411
[ 2 ] CVE-2013-0198 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0198

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201406-24.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201406-24.xml

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20912

Oval ID:	oval:org.mitre.oval:def:20912
Title:	RHSA-2013:0277: dnsmasq security, bug fix and enhancement update (Moderate)
Description:	Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
Family:	unix	Class:	patch
Reference(s):	RHSA-2013:0277-02 CESA-2013:0277 CVE-2012-3411	Version:	4
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	dnsmasq
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND CentOS Linux 6.x Packages section dnsmasq-utils is earlier than 0:2.48-13.el6 AND dnsmasq is earlier than 0:2.48-13.el6

Definition Id: oval:org.mitre.oval:def:21113

Oval ID:	oval:org.mitre.oval:def:21113
Title:	RHSA-2013:0276: libvirt security, bug fix, and enhancement update (Moderate)
Description:	Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
Family:	unix	Class:	patch
Reference(s):	RHSA-2013:0276-02 CESA-2013:0276 CVE-2012-3411	Version:	4
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	libvirt
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND CentOS Linux 6.x Packages section libvirt-devel is earlier than 0:0.10.2-18.el6 AND libvirt-python is earlier than 0:0.10.2-18.el6 AND libvirt-client is earlier than 0:0.10.2-18.el6 AND libvirt-lock-sanlock is earlier than 0:0.10.2-18.el6 AND libvirt is earlier than 0:0.10.2-18.el6

Definition Id: oval:org.mitre.oval:def:23819

Oval ID:	oval:org.mitre.oval:def:23819
Title:	ELSA-2013:0276: libvirt security, bug fix, and enhancement update (Moderate)
Description:	Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
Family:	unix	Class:	patch
Reference(s):	ELSA-2013:0276-02 CVE-2012-3411	Version:	6
Platform(s):	Oracle Linux 6	Product(s):	libvirt
Definition Synopsis:
Oracle Linux 6.x rpm test libvirt-devel is earlier than 0:0.10.2-18.el6 AND libvirt-python is earlier than 0:0.10.2-18.el6 AND libvirt-client is earlier than 0:0.10.2-18.el6 AND libvirt-lock-sanlock is earlier than 0:0.10.2-18.el6 AND libvirt is earlier than 0:0.10.2-18.el6

Definition Id: oval:org.mitre.oval:def:24085

Oval ID:	oval:org.mitre.oval:def:24085
Title:	ELSA-2013:0277: dnsmasq security, bug fix and enhancement update (Moderate)
Description:	Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
Family:	unix	Class:	patch
Reference(s):	ELSA-2013:0277-02 CVE-2012-3411	Version:	6
Platform(s):	Oracle Linux 6	Product(s):	dnsmasq
Definition Synopsis:
Oracle Linux 6.x rpm test dnsmasq-utils is earlier than 0:2.48-13.el6 AND dnsmasq is earlier than 0:2.48-13.el6

Definition Id: oval:org.mitre.oval:def:27544

Oval ID:	oval:org.mitre.oval:def:27544
Title:	DEPRECATED: ELSA-2013-0277 -- dnsmasq security, bug fix and enhancement update (moderate)
Description:	[2.48-13] - Fix the DHCP RELEASE problem when two or more dnsmasq instances are running (rhbz#887156) [2.48-12] - Fixing initscript restart stop functions (rhbz#850944) [2.48-11] - Revert previous changes because of many problems with --bind-dynamic option backport. - Dropping dnsmasq-2.48-add-bind-dynamic-option.patch - Set SO_BINDTODEVICE socket option when using --bind-interfaces (rhbz#884957) [2.48-10] - Fixed dnsmasq-2.48-add-bind-dynamic-option.patch - the option --bind-dynamic was not set correctly when used [2.48-9] - Added cc flag -fno-strict-aliasing to solve Testsuite regressions [2.48-8] - Fix CVE-2012-3411 (rhbz#882251) [2.48-7] - Fix lease-change script (rhbz#815819) - Check tftp-root exists and is accessible at startup (rhbz#824214)
Family:	unix	Class:	patch
Reference(s):	ELSA-2013-0277 CVE-2012-3411	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	dnsmasq
Definition Synopsis:
Oracle Linux 6.x Packages match section dnsmasq is earlier than 0:2.48-13.el6 AND dnsmasq-utils is earlier than 0:2.48-13.el6

Definition Id: oval:org.mitre.oval:def:27553

Oval ID:	oval:org.mitre.oval:def:27553
Title:	DEPRECATED: ELSA-2013-0276 -- libvirt security, bug fix, and enhancement update (moderate)
Description:	[libvirt-0.10.2-18.0.1.el6] - Replace docs/et.png in tarball with blank image [0.10.2-18] - rpc: Fix crash on error paths of message dispatching (CVE-2013-0170) - spec: Disable libssh2 support (rhbz#513363)
Family:	unix	Class:	patch
Reference(s):	ELSA-2013-0276 CVE-2012-3411	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	libvirt
Definition Synopsis:
Oracle Linux 6.x Packages match section libvirt is earlier than 0:0.10.2-18.0.1.el6 AND libvirt-client is earlier than 0:0.10.2-18.0.1.el6 AND libvirt-devel is earlier than 0:0.10.2-18.0.1.el6 AND libvirt-python is earlier than 0:0.10.2-18.0.1.el6

CPE : Common Platform Enumeration

Type	Description	Count
Application	Thekelleys Dnsmasq cpe:2.3:a:thekelleys:dnsmasq:2.9:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.8:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.7:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.6:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.5:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.48:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.47:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.46:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.45:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.44:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.43:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.42:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.41:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.40:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.4:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.39:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.38:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.37:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.36:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.35:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.34:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.33:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.31:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.30:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.3:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.29:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.28:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.27:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.26:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.25:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.24:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.23:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.22:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.21:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.20:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.2:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.19:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.18:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.17:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.16:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.15:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.14:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.13:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.12:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.11:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.10:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.1:::::::* cpe:2.3:a:thekelleys:dnsmasq:2.0:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.9:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.8:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.7:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.6:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.5:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.4:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.3:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.2:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.18:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.17:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.16:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.15:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.14:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.13:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.12:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.11:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.10:::::::* cpe:2.3:a:thekelleys:dnsmasq:1.0:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.996:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.992:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.98:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.96:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.95:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.7:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.6:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.5:::::::* cpe:2.3:a:thekelleys:dnsmasq:0.4:::::::* cpe:2.3:a:thekelleys:dnsmasq:::::::: cpe:2.3:a:thekelleys:dnsmasq:-:::::::*	77
Os	Redhat Enterprise Linux Desktop cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*	1
Os	Redhat Enterprise Linux Server cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*	1
Os	Redhat Enterprise Linux Workstation cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*	1

OpenVAS Exploits

Date	Description
2012-09-17	Name : Fedora Update for dnsmasq FEDORA-2012-12598 File : nvt/gb_fedora_2012_12598_dnsmasq_fc17.nasl

Nessus® Vulnerability Scanner

Date	Description
2015-12-22	Name : The remote DNS / DHCP service is affected by a denial of service vulnerability. File : dnsmasq_dos-CVE-2013-0198.nasl - Type : ACT_GATHER_INFO
2015-12-22	Name : The remote DNS / DHCP service is affected by a denial of service vulnerability. File : dnsmasq_dos-CVE-2012-3411.nasl - Type : ACT_GATHER_INFO
2014-11-08	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-0579.nasl - Type : ACT_GATHER_INFO
2014-06-26	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-24.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-161.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0276.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0277.nasl - Type : ACT_GATHER_INFO
2013-04-20	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-072.nasl - Type : ACT_GATHER_INFO
2013-03-10	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0277.nasl - Type : ACT_GATHER_INFO
2013-03-10	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0276.nasl - Type : ACT_GATHER_INFO
2013-03-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130221_dnsmasq_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-03-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130221_libvirt_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-02-21	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0276.nasl - Type : ACT_GATHER_INFO
2013-02-21	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0277.nasl - Type : ACT_GATHER_INFO
2013-02-19	Name : The remote Fedora host is missing a security update. File : fedora_2013-1320.nasl - Type : ACT_GATHER_INFO
2013-02-13	Name : The remote Fedora host is missing a security update. File : fedora_2013-1357.nasl - Type : ACT_GATHER_INFO
2013-01-04	Name : The remote Fedora host is missing a security update. File : fedora_2012-20531.nasl - Type : ACT_GATHER_INFO
2012-12-20	Name : The remote Fedora host is missing a security update. File : fedora_2012-20577.nasl - Type : ACT_GATHER_INFO
2012-09-12	Name : The remote Fedora host is missing a security update. File : fedora_2012-12598.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-06-27 13:26:20	Multiple Updates
2014-06-26 00:24:08	First insertion

Global Informations

Type	Count
CWE ID(s)	2
Oval ID(s)	6
CPE ID(s)	80
Openvas Exploit(s)	1
Nessus® Exploit(s)	19

	Related
5	CVE-2013-0198
5	CVE-2012-3411
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)

5 - GLSA-201406-24

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU