Loading . . .

This use case runs on ArcSight to find vulnerable and compromised dnsmasq devices running versions prior to 2.76.  On October 2nd 2017 Google Security team has disclosed 7 CVE ID's related to dnsmasq and provided 6 proof of concept exploit code samples on github. Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions including Ubuntu, Mint, RedHat, home routers running OpenWRT and IoT devices. The attack vector via DNS and DHCP is expected to happen from within corporate networks and WiFi devices running LEDE and OpenWRT and will result in extremely fast and hard to control Lateral Movement according to MITRE ATT&CK. Initial Delivery and attack launch may be executed from public internet as well since as of October 5th 2017 a Shodan lookup for dnsmasq returns 1,142,533 results. This means there is a huge infrastructure that adversaries may use as entry point to victims networks. Since DNS traffic usually bypasses perimeter defenses the vulnerability can lead to global cyber attacks that will exceed the infamous WannaCry and Mirai botnet. Top-10 countries that may be impacted and number of assets with dnsmasq:

  • China 335,947
  • Brazil 134,940
  • United States 101,540
  • Taiwan 75,240
  • Turkey 60,678
  • Russian Federation 51,120
  • Italy 34,824
  • Ecuador 34,657
  • India 27,307
  • Saudi Arabia 26,081

This basic use case leverages ArcSight real-time correlation rules and dashboards and vulnerability intelligence that is integrated into ArcSight from solutions like Qualys, Nessus, Rapid7, OpenVas etc. to flag assets that have these CVE-ID's:

  • CVE-2017-14491 DNS RCE
  • CVE-2017-14495 DNS DoS
  • CVE-2017-14496 DNS DoS
  • CVE-2017-13704 DNS DoS
  • CVE-2017-14492 DHCP RCE
  • CVE-2017-14493 DHCP RCE
  • CVE-2017-14494 DHCP Information Leakage

The public Proof of Concept exploits code in python shared by Google along with instructions and ASAN reports are available at GitHub:  https://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq It is recommended to Patch these vulnerabilities a.s.a.p. as they pose risk of Remote Code Execution (RCE), Denial of Service (DoS) and Information Leakage. RCE on such sensitive services as DNS can lead to attacker gaining full root priveledges on target machines. It is worth noting that plenty of vulnerable devices will not be patched any time soon due to long enterprise patch cycles or due to archticture. For example Mint linux does not have patch available yet. And outdated Android devices not manufactured / OEM'ed by Google will not get patch at all.