CVE-2021-45955
📋 TL;DR
CVE-2021-45955 is a heap-based buffer overflow vulnerability in Dnsmasq 2.86 that occurs during DNS packet resizing due to insufficient bounds checking. This could allow remote attackers to execute arbitrary code or cause denial of service. Organizations running Dnsmasq 2.86 for DNS caching or DHCP services are affected.
💻 Affected Systems
- Dnsmasq
📦 What is this software?
Dnsmasq by Thekelleys
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, data exfiltration, or persistent backdoor installation.
Likely Case
Denial of service causing DNS/DHCP service disruption, potentially affecting network connectivity for dependent systems.
If Mitigated
Limited impact with proper network segmentation and exploit mitigations; service disruption but no privilege escalation.
🎯 Exploit Status
Proof-of-concept exists in oss-fuzz reports. Exploitation requires sending specially crafted DNS packets but no authentication. The heap-based nature makes reliable exploitation moderately complex.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.86 (2.87+)
Vendor Advisory: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
Restart Required: Yes
Instructions:
1. Check current Dnsmasq version: dnsmasq --version
2. Update via package manager: apt-get update && apt-get upgrade dnsmasq (Debian/Ubuntu) or yum update dnsmasq (RHEL/CentOS)
3. Verify upgrade: dnsmasq --version
4. Restart service: systemctl restart dnsmasq
🔧 Temporary Workarounds
Disable DNS functionality
linuxConfigure Dnsmasq to only provide DHCP services without DNS resolution
Edit /etc/dnsmasq.conf and set: port=0
Restart: systemctl restart dnsmasq
Network filtering
linuxRestrict DNS queries to trusted sources only using firewall rules
iptables -A INPUT -p udp --dport 53 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Dnsmasq servers from untrusted networks
- Deploy exploit mitigation technologies like ASLR, stack canaries, and control flow integrity
🔍 How to Verify
Check if Vulnerable:
Check if running Dnsmasq 2.86: dnsmasq --version | grep 'version 2.86'Check Version:
dnsmasq --version | head -1Verify Fix Applied:
Confirm version is 2.87 or higher: dnsmasq --version | grep -v 'version 2.86'📡 Detection & Monitoring
Log Indicators:
- Multiple malformed DNS packet errors in Dnsmasq logs
- Unexpected process crashes or restarts of dnsmasq service
Network Indicators:
- Unusual DNS queries with malformed packet structures
- DNS traffic from unexpected sources to port 53
SIEM Query:
source="dnsmasq" AND (error OR crash OR "malformed packet")🔗 References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35898
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-932.yaml
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016164.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35898
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-932.yaml
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016164.html
