CVE-2021-45957
📋 TL;DR
CVE-2021-45957 is a heap-based buffer overflow vulnerability in Dnsmasq 2.86's DNS response handling code. This could allow remote attackers to execute arbitrary code or cause denial of service on affected systems. The vendor disputes this represents a real vulnerability, but organizations should still assess their risk.
💻 Affected Systems
- Dnsmasq
📦 What is this software?
Dnsmasq by Thekelleys
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, data exfiltration, or persistent backdoor installation.
Likely Case
Denial of service causing DNS service disruption, potentially affecting network connectivity and dependent services.
If Mitigated
Limited impact with proper network segmentation, minimal privileges, and exploit mitigations like ASLR and stack canaries.
🎯 Exploit Status
Proof of concept exists in oss-fuzz repository. Exploitation requires crafting malicious DNS responses. No confirmed weaponized exploits in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.87 and later
Vendor Advisory: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
Restart Required: Yes
Instructions:
1. Check current version: dnsmasq --version
2. Download latest version from official repository
3. Compile and install: ./configure && make && make install
4. Restart dnsmasq service: systemctl restart dnsmasq
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict DNS traffic to trusted sources only
iptables -A INPUT -p udp --dport 53 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP
Disable Recursive DNS
linuxConfigure dnsmasq as forward-only DNS server
Add 'no-resolv' and 'server=8.8.8.8' to /etc/dnsmasq.conf
systemctl restart dnsmasq
🧯 If You Can't Patch
- Implement strict firewall rules to limit DNS traffic to trusted sources only
- Deploy exploit mitigation technologies like ASLR, stack canaries, and DEP
🔍 How to Verify
Check if Vulnerable:
Check if running Dnsmasq version 2.86: dnsmasq --version | grep '2.86'Check Version:
dnsmasq --versionVerify Fix Applied:
Verify version is 2.87 or higher: dnsmasq --version | grep -v '2.86'📡 Detection & Monitoring
Log Indicators:
- Unusual DNS response sizes
- Multiple malformed DNS packets
- Dnsmasq crash logs
- Segmentation fault errors in system logs
Network Indicators:
- Unusually large DNS responses
- DNS traffic from unexpected sources
- Multiple malformed DNS queries to port 53
SIEM Query:
source="dnsmasq" AND ("segmentation fault" OR "buffer overflow" OR "crash")🔗 References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35920
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-935.yaml
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016164.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35920
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-935.yaml
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016162.html
- https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016164.html
