CVE-2021-45951
📋 TL;DR
CVE-2021-45951 is a heap-based buffer overflow vulnerability in Dnsmasq 2.86's check_bad_address function that could allow remote code execution or denial of service. Systems running Dnsmasq 2.86 as a DNS resolver or DHCP server are affected. The vendor disputes this is a real vulnerability, but the CVSS score suggests high risk.
💻 Affected Systems
- Dnsmasq
📦 What is this software?
Dnsmasq by Thekelleys
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker executes arbitrary code with root privileges, potentially compromising the entire system and network.
Likely Case
Denial of service causing DNS/DHCP service disruption, potentially affecting network connectivity for clients.
If Mitigated
Limited impact if Dnsmasq runs in chroot/jail or with privilege separation, though service disruption still possible.
🎯 Exploit Status
Exploitation requires sending specially crafted DNS queries. No public exploits known, but the vulnerability is remotely triggerable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.87 or later
Vendor Advisory: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
Restart Required: Yes
Instructions:
1. Check current version: dnsmasq --version
2. Update via package manager: apt-get update && apt-get upgrade dnsmasq (Debian/Ubuntu) or yum update dnsmasq (RHEL/CentOS)
3. Verify version: dnsmasq --version
4. Restart service: systemctl restart dnsmasq
🔧 Temporary Workarounds
Restrict DNS queries
linuxLimit which clients can query the DNS server to reduce attack surface
Add to dnsmasq.conf: local-service
Add to dnsmasq.conf: bind-interfaces
Add to dnsmasq.conf: listen-address=<trusted_ip>
Run with reduced privileges
linuxRun Dnsmasq in chroot or with user namespace isolation
Add to dnsmasq.conf: user=nobody
Add to dnsmasq.conf: group=nogroup
Use systemd's DynamicUser=yes
🧯 If You Can't Patch
- Implement network segmentation to isolate Dnsmasq from untrusted networks
- Deploy intrusion detection/prevention systems to monitor for anomalous DNS traffic patterns
🔍 How to Verify
Check if Vulnerable:
Run: dnsmasq --version | grep 'version 2.86'Check Version:
dnsmasq --version | head -1Verify Fix Applied:
Run: dnsmasq --version | grep -v 'version 2.86' && echo 'Not vulnerable'📡 Detection & Monitoring
Log Indicators:
- Unusual DNS query patterns
- Dnsmasq crash logs
- Memory corruption warnings in system logs
Network Indicators:
- Anomalous DNS queries with malformed addresses
- Traffic spikes to port 53/UDP
SIEM Query:
source="dnsmasq" AND ("segmentation fault" OR "buffer overflow" OR "crash")🔗 References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35868
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-924.yaml
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016164.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35868
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-924.yaml
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016164.html
