CVE-2019-14513 – CVE-2019-14513 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2019-14513?

CVE-2019-14513 has a CVSS score of 7.5 (HIGH). CVE-2019-14513 is a buffer overflow vulnerability in Dnsmasq DNS server software caused by improper bounds checking when processing large DNS packets. Attackers controlling a DNS server can send specially crafted packets to trigger memory corruption, potentially leading to denial of service or remote code execution. This affects all systems running Dnsmasq versions before 2.76.

📋 TL;DR

CVE-2019-14513 is a buffer overflow vulnerability in Dnsmasq DNS server software caused by improper bounds checking when processing large DNS packets. Attackers controlling a DNS server can send specially crafted packets to trigger memory corruption, potentially leading to denial of service or remote code execution. This affects all systems running Dnsmasq versions before 2.76.

💻 Affected Systems

Products:

Dnsmasq

Versions: All versions before 2.76

Operating Systems: Linux, Unix-like systems, Embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Dnsmasq configurations when acting as DNS server. Most vulnerable when configured as DNS forwarder or resolver.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Dnsmasq by Thekelleys

View all CVEs affecting Dnsmasq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges, allowing complete system compromise and potential lateral movement within the network.

🟠

Likely Case

Denial of service causing DNS service disruption, potentially affecting network connectivity and dependent services.

🟢

If Mitigated

Limited impact with proper network segmentation and DNS server isolation, potentially only causing service disruption.

🌐 Internet-Facing: HIGH - Dnsmasq servers exposed to the internet can be directly targeted by attackers controlling upstream DNS servers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires DNS server control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires control of a DNS server that the vulnerable Dnsmasq instance queries. Public proof-of-concept demonstrates triggering the overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.76 and later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2019/09/msg00013.html

Restart Required: Yes

Instructions:

1. Update Dnsmasq to version 2.76 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install dnsmasq. 3. For Red Hat/CentOS: sudo yum update dnsmasq. 4. Restart Dnsmasq service: sudo systemctl restart dnsmasq.

🔧 Temporary Workarounds

Limit DNS packet size

linux

Configure Dnsmasq to reject DNS packets larger than typical size to prevent triggering the overflow

Add 'edns-packet-max=512' to /etc/dnsmasq.conf
Restart dnsmasq: sudo systemctl restart dnsmasq

Disable DNS forwarding

linux

Configure Dnsmasq to only serve local DNS and not forward queries to upstream servers

Set 'no-resolv' and 'no-forward' in /etc/dnsmasq.conf
Restart dnsmasq: sudo systemctl restart dnsmasq

🧯 If You Can't Patch

Implement network segmentation to isolate Dnsmasq servers from untrusted networks
Use firewall rules to restrict which DNS servers Dnsmasq can communicate with

🔍 How to Verify

Check if Vulnerable:

Check Dnsmasq version: dnsmasq --version | head -1. If version is below 2.76, system is vulnerable.

Check Version:

dnsmasq --version | head -1

Verify Fix Applied:

After update, verify version is 2.76 or higher: dnsmasq --version | head -1

📡 Detection & Monitoring

Log Indicators:

DNS query failures
Dnsmasq crash logs
Memory corruption errors in system logs

Network Indicators:

Unusually large DNS packets (over 512 bytes)
DNS traffic from unexpected sources

SIEM Query:

source="dnsmasq" AND ("segmentation fault" OR "buffer overflow" OR "crash")

📊 Metadata

CVE ID: CVE-2019-14513

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: August 1, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/Slovejoy/dnsmasq-pre2.76 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00013.html Mailing List,Third Party Advisory
https://github.com/Slovejoy/dnsmasq-pre2.76 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00013.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14513, you might also want to check these: