dnsmasq vunlerabilities

NOOT NOOT please fix this.

@UBNT-afomins @UBNT-ancheng is there an ETA for 1.9.7.hotfix.4 with an updated dnsmasq binary patched against these CVEs, especially with at least one having a remote code exploit and dnsmasq potentially being open to "insecure" networks in certain configurations?

Rated CRITICAL:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493

Rated IMPORTANT:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13704

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496

+1 . Please be on top of security issues like this!

you can add those september 2017 openvpn vulns
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

Please post updates for the edgerouter -- I've got a network to run here!

Check here https://community.ubnt.com/t5/EdgeMAX/dnscrypt-proxy-DNSSEC-and-dnsmasq-on-Edgerouter-Lite/m-p/19116... for a member-contributed build of v2.78.  (Second post down, I think.)

May help in the interm, until UBNT can compile and release an official hotfix.

-AJ

I find it interesting that they would post that to reddit, but not their own forum.

@aweber They wrote it is being worked on in the other thread: https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-update-for-dnsmasq-vulnerabilities/m-p/208...

Thanks for bringing this up. We are aware and actively working on providing a firmware update to address these vulnerabilities very soon. I will post here as soon as the release is available. 

@the_slain_man dnsmasq is used for DNS forwarding which is enabled by default. It can also be used for DHCP however, EdgeOS uses ISC dhcpd by default for DHCP. Regardless, it will be important to update to hotfix4 when it is released.

Release including update to come, but for those who want to install it in the mean time, here are the updated dnsmasq packages for MIPS platform (not MIPSEL, which is ER-X and ER-X-SFP only). These are appropraiate for all USG models, ERL, ERPro, ER-POE, ER-8-XG, all ERs except ER-X models. 

https://dl.ubnt-ut.com/cmb/dnsmasq_2.78-1-ubnt1_all.deb

https://dl.ubnt-ut.com/cmb/dnsmasq-base_2.78-1-ubnt1_mips.deb

https://dl.ubnt-ut.com/cmb/dnsmasq-utils_2.78-1-ubnt1_mips.deb

Download those to ER and install them, like the following after SSH into the device. 

sudo su
curl -O https://dl.ubnt-ut.com/cmb/dnsmasq_2.78-1-ubnt1_all.deb
curl -O https://dl.ubnt-ut.com/cmb/dnsmasq-base_2.78-1-ubnt1_mips.deb
curl -O https://dl.ubnt-ut.com/cmb/dnsmasq-utils_2.78-1-ubnt1_mips.deb
dpkg -i dnsmasq*

Choose the default "N" for any conflict prompts, and ignore any rc.d warnings. 

If you try that, please report back here with results. It's running fine on multiple systems here internally, but would be good to hear from others. 

*** UPDATE by UBNT-afomins ***

Here's update dnsmasq for ER-X, ER-X-SFP and EP-R6:

https://dl.ubnt.com/firmwares/edgemax/afomins/dnsmasq-2.78-e50/dnsmasq-base_9dev_mipsel.deb
https://dl.ubnt.com/firmwares/edgemax/afomins/dnsmasq-2.78-e50/dnsmasq-utils_9dev_mipsel.deb
https://dl.ubnt.com/firmwares/edgemax/afomins/dnsmasq-2.78-e50/dnsmasq_9dev_all.deb

New 1.9.7+hotfix.4 with those fixes will be release early next week.

> If you try that, please report back here with results. It's running fine on multiple systems here internally, but would be good to hear from others

Installed successfully on an ER-L running v1.9.7+hotfix.3. Appears to be functioning properly.

Installed successfully on ERLite 1.9.7+hotfix2.

Working fine so far with a ERPOE-5 with hotfix3. It's only been 2 hours but no instant problems.