Researchers at Google LLC have issued a warning over seven serious flaws in Dnsmasq, a Domain Name System forwarder and Dynamic Host Configuration Protocol server that is installed with Linux distributions, Android and Google’s Kubernetes container software.

The longstanding flaws include three remote code execution vulnerabilities, three denial of service vulnerabilities and an information leakage issue. “We discovered seven distinct issues over the course of our regular internal security assessments,” Google security researchers said in a blog post on Monday. “Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue.”

Of the seven vulnerabilities, CVE-2017-14491, a DNS-based vulnerability in Dnsmasq versions before 2.76 that allows for unrestricted heap overflows, affecting both external and internal networks, was noted as being the most severe. Android is specifically affected by CVE-2017-14496, which allows attackers to target a device when it is locally tethered, although the researchers noted that the service itself is sandboxed, meaning that the risk to Android users is reduced.

The good news for Dnsmasq users is that a new, patched version has been released, so users who have deployed the latest version are protected from the vulnerabilities. Patches for the vulnerabilities were built into the Android security update in October, while Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been updated with a patched DNS pod. Other affected Google services are also claimed have been updated.

Image: Pixabay