FRESH

Hacker News

Home

CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq

324 points by chizhik-pyzhik

by unclejuan

3 subcomments

I think this is the breaking point where replacing our code written in C for code written in memory safe languages is becoming urgent.
The vast majority of vulnerabilities found recently are directly related to being written in memory unsafe languages, it's very difficult to justify that a DNS/DHCP server can't be written in rust or go and without using unsafe (well, maybe a few unsafe calls are still needed, but these will be a very small amount)...

by washingupliquid

2 subcomments

It's a good thing this software isn't used in millions of devices which almost never receive updates.

by 882542F3884314B

1 subcomments

https://xchglabs.com/blog/dnsmasq-five-cves.html

by theamk

0 subcomment

That is pretty bad!
"a remote attacker capable of asking DNS queries or answering DNS queries can cause a large OOB write in the heap."
Malformed DNS response causes "infinite loop and dnsmasq stops responding to all queries."
Malicious DHCP request can cause buffer overlow.

by romaniitedomum

2 subcomments

To quote a famous (in certain circles) bowl of petunias, "oh no, not again!"

by aftbit

1 subcomments

Has OpenWRT released a new build yet?
Answer: no, but they're working on it.
https://forum.openwrt.org/t/dnsmasq-set-of-serious-cves/2500...

by strenholme

7 subcomments

Shameless plug time:
My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.
Not one single serious security bug has been found since 2023. [1]
The only bugs auditers have been finding are things like “Deadwood, when fully recursive, will take longer than usual to release resources when getting this unusual packet” [2] or “This side utility included with MaraDNS, which hasn’t been able to be compiled since 2022, has a buffer overflow, but only if one’s $HOME is over 50 characters in length” [3]
I’m actually really pleased just how secure MaraDNS is now that it’s getting real in depth security audits.
[1] https://samboy.github.io/MaraDNS/webpage/security.html
[2] https://github.com/samboy/MaraDNS/discussions/136
[3] https://github.com/samboy/MaraDNS/pull/137

by washingupliquid

11 subcomments

Maybe this is the kick in the ass Debian needs to upgrade the embarrassingly ancient dnsmasq in "stable" because while I can't think of any new features, the latest versions contain many non-CVE bug fixes.
But I doubt it, they will lazily backport these patches to create some frankenstein one-off version and be done with it.
Before anyone says "tHaT's wHaT sTaBlE iS fOr": they have literally shipped straight-up broken packages before, because fixing it would somehow make it not "stable". They would rather ship useless, broken code than something too new. It's crazy.

by Baltazhar

0 subcomment

What is the nature of these findings? There’s a big difference between AI finding a buffer overflow vs. identifying a fundamental protocol flaw. Could AI realistically discover something like the Kaminsky attack? or even something which is an amplification exploit like the NXNSAttack?

by SoftTalker

3 subcomments

Never liked using dnsmasq. Always felt like too much in one tool. A local caching resolver, dhcp server, and tftp/pxe boot setup were always things I preferred to configure separately.

by sailfast

0 subcomment

"hopefully they will be releasing patched versions of their dnsmasq packages in a timely manner."
Hopefully!

by thenickdude

0 subcomment

LXD uses dnsmasq to provide DHCP and DNS for containers I think? Viable container escape?

by 1vuio0pswjnm7

0 subcomment

I never liked dnsmasq or the Pi-Hole dderivation and do not use it but many people seem to love this software. I don't think there is any amount of CVEs that could convince people to stop using it

by PeterStuer

0 subcomment

"The tsunami of AI-generated bug reports shows no signs of stopping, so it is likely that this process will have to be repeated again soon."
But, ai-deniers are telling us there is nothing to see ...

by dist-epoch

4 subcomments

How bad is it if someone infects my home router using such a thing? They can MITM non-encrypted requests, but there are not a lot of those, right?
What else can they do, assuming the computers behind the router are all patched up.

by xydac

0 subcomment

some of these would have made to embedded hardwares, making updates more challenging if say you were to flash an update.

by rela-12w987

1 subcomments

The AI bug report tsunami is not in all projects. As the top comment notes, MaraDNS didn't have any. I assume djbdns and tinydns didn't either, otherwise they'd shout it from the rooftops.
I never understood why some projects get extremely popular and others don't. I also suspect by now that the reports by tools that are "too dangerous to release" scan all projects but selectively only contact those with issues, so that they never have to admit that their tool didn't find anything.

by ck2

9 subcomments

if machine-learning can find all these holes
why can't machine-learning write a product from scratch that is flawless?

by tscburak

0 subcomment

[flagged]

by cedum

0 subcomment

[dead]

by mrbluecoat

0 subcomment

> The tsunami of AI-generated bug reports shows no signs of stopping, so it is likely that this process will have to be repeated again soon.
Welcome to the new world order.