Reply
Highlighted
Emerging Member
Posts: 80
Registered: ‎05-14-2016
Kudos: 109
Solutions: 2

dnsmasq vunlerabilities

Google dropped 7 CVEs on dnsmasq today, three with remote code execution.

 

https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

New Member
Posts: 22
Registered: ‎09-06-2015
Kudos: 40

Re: dnsmasq vunlerabilities

I'm surprised to not see anything yet as the patches came out last week and were available (under embargo) to packagers. This is something folks have known about so as to have a coordinated response.
Regular Member
Posts: 521
Registered: ‎03-03-2012
Kudos: 139
Solutions: 12

Re: dnsmasq vunlerabilities

Noot_Noot.jpg

NOOT NOOT please fix this.

Emerging Member
Posts: 90
Registered: ‎10-22-2013
Kudos: 44
Solutions: 5

Re: dnsmasq vunlerabilities

New Member
Posts: 9
Registered: ‎04-28-2016
Kudos: 3

Re: dnsmasq vunlerabilities

+1 . Please be on top of security issues like this!

Established Member
Posts: 888
Registered: ‎03-20-2008
Kudos: 131
Solutions: 2

Re: dnsmasq vunlerabilities

you can add those september 2017 openvpn vulns
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

Veteran Member
Posts: 5,781
Registered: ‎01-04-2017
Kudos: 827
Solutions: 292

Re: dnsmasq vunlerabilities

@sxpert there is no september 2017 threats that would effect openvpn on the edgerouter series. @tbyehl Thanks for the heads up. I am sure the @ubnt team is working on this.
New Member
Posts: 38
Registered: ‎09-19-2015
Kudos: 11

Re: dnsmasq vunlerabilities

Please post updates for the edgerouter -- I've got a network to run here!

Member
Posts: 220
Registered: ‎10-04-2014
Kudos: 21
Solutions: 2

Re: dnsmasq vunlerabilities

Check here https://community.ubnt.com/t5/EdgeMAX/dnscrypt-proxy-DNSSEC-and-dnsmasq-on-Edgerouter-Lite/m-p/19116... for a member-contributed build of v2.78.  (Second post down, I think.)

 

May help in the interm, until UBNT can compile and release an official hotfix.

 

-AJ

New Member
Posts: 5
Registered: ‎04-23-2017
Kudos: 3

Re: dnsmasq vunlerabilities

Also following, where ubnt have posted, "Being worked on as we speak.": https://www.reddit.com/r/Ubiquiti/comments/73wezf/how_quick_to_expect_a_fix_for_dnsmasq/
Member
Posts: 220
Registered: ‎10-04-2014
Kudos: 21
Solutions: 2

Re: dnsmasq vunlerabilities

I find it interesting that they would post that to reddit, but not their own forum.

 

New Member
Posts: 3
Registered: ‎08-31-2017

Re: dnsmasq vunlerabilities

Ubiquiti Employee
Posts: 2,961
Registered: ‎10-05-2015
Kudos: 1145
Solutions: 232

Re: dnsmasq vunlerabilities

Thanks for bringing this up. We are aware and actively working on providing a firmware update to address these vulnerabilities very soon. I will post here as soon as the release is available. 

Emerging Member
Posts: 54
Registered: ‎03-10-2014
Kudos: 9
Solutions: 1

Re: dnsmasq vunlerabilities

If you don't have dnsmasq enabled you should be fine right?
Ubiquiti Employee
Posts: 2,961
Registered: ‎10-05-2015
Kudos: 1145
Solutions: 232

Re: dnsmasq vunlerabilities

@the_slain_man dnsmasq is used for DNS forwarding which is enabled by default. It can also be used for DHCP however, EdgeOS uses ISC dhcpd by default for DHCP. Regardless, it will be important to update to hotfix4 when it is released.

Ubiquiti Employee
Posts: 5,054
Registered: ‎08-08-2016
Kudos: 5493
Solutions: 350

Re: dnsmasq vunlerabilities

[ Edited ]

Release including update to come, but for those who want to install it in the mean time, here are the updated dnsmasq packages for MIPS platform (not MIPSEL, which is ER-X and ER-X-SFP only). These are appropraiate for all USG models, ERL, ERPro, ER-POE, ER-8-XG, all ERs except ER-X models. 

https://dl.ubnt-ut.com/cmb/dnsmasq_2.78-1-ubnt1_all.deb

https://dl.ubnt-ut.com/cmb/dnsmasq-base_2.78-1-ubnt1_mips.deb

https://dl.ubnt-ut.com/cmb/dnsmasq-utils_2.78-1-ubnt1_mips.deb

 

Download those to ER and install them, like the following after SSH into the device. 

sudo su
curl -O https://dl.ubnt-ut.com/cmb/dnsmasq_2.78-1-ubnt1_all.deb
curl -O https://dl.ubnt-ut.com/cmb/dnsmasq-base_2.78-1-ubnt1_mips.deb
curl -O https://dl.ubnt-ut.com/cmb/dnsmasq-utils_2.78-1-ubnt1_mips.deb
dpkg -i dnsmasq*

Choose the default "N" for any conflict prompts, and ignore any rc.d warnings. 

 

If you try that, please report back here with results. It's running fine on multiple systems here internally, but would be good to hear from others. 

 

*** UPDATE by UBNT-afomins ***

Here's update dnsmasq for ER-X, ER-X-SFP and EP-R6:

https://dl.ubnt.com/firmwares/edgemax/afomins/dnsmasq-2.78-e50/dnsmasq-base_9dev_mipsel.deb
https://dl.ubnt.com/firmwares/edgemax/afomins/dnsmasq-2.78-e50/dnsmasq-utils_9dev_mipsel.deb
https://dl.ubnt.com/firmwares/edgemax/afomins/dnsmasq-2.78-e50/dnsmasq_9dev_all.deb

 

New 1.9.7+hotfix.4 with those fixes will be release early next week.

 

New Member
Posts: 4
Registered: ‎02-23-2014

Re: dnsmasq vunlerabilities

[ Edited ]

> If you try that, please report back here with results. It's running fine on multiple systems here internally, but would be good to hear from others

 

Installed successfully on an ER-L running v1.9.7+hotfix.3. Appears to be functioning properly.

 

New Member
Posts: 24
Registered: ‎03-30-2017
Kudos: 13

Re: dnsmasq vunlerabilities

Installed successfully on ERLite 1.9.7 hotfix 3! So far so good!
New Member
Posts: 9
Registered: ‎10-18-2014
Kudos: 2

Re: dnsmasq vunlerabilities

Installed successfully on ERLite 1.9.7+hotfix2.

New Member
Posts: 24
Registered: ‎11-19-2016
Kudos: 2

Re: dnsmasq vunlerabilities

[ Edited ]

Working fine so far with a ERPOE-5 with hotfix3. It's only been 2 hours but no instant problems.

Reply