Synology-SA-17:59 Dnsmasq

Publish Time: 2017-10-03 16:31:53 UTC+8

Last Updated: 2018-01-12 15:32:23 UTC+8

Severity: Critical

Status: Resolved

Abstract

Multiple security vulnerabilities have been found in Dnsmasq, and may allow remote attackers to execute arbitrary codes, cause denial-of-service attack, or retrieve sensitive information from a vulnerable version of Synology DiskStation Manager (DSM) or Synology Router Manager (SRM).

These vulnerabilities do not affect Synology DiskStation Manager (DSM) on devices without a Wi-Fi dongle installed.

Severity

CVE-2017-14491
- Impact: Critical
- CVSS3 Base Score: 9.8
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-14492
- Impact: Critical
- CVSS3 Base Score: 8.8
- CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-14493
- Impact: Critical
- CVSS3 Base Score: 8.8
- CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-14494
- Impact: Important
- CVSS3 Base Score: 6.5
- CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2017-14495
- Impact: Important
- CVSS3 Base Score: 7.5
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2017-14496
- Impact: Important
- CVSS3 Base Score: 7.5
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2017-13704
- Impact: Important
- CVSS3 Base Score: 7.5
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected

Products
- DSM 6.1
- DSM 6.0
- DSM 5.2
- SRM 1.1
Models
- All Synology models

Description

CVE-2017-14491
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.
CVE-2017-14492
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.
CVE-2017-14493
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
CVE-2017-14494
dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests.
CVE-2017-14495
Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.
CVE-2017-14496
Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.
CVE-2017-13704
In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash.

Mitigation

For an immediate workaround, please contact us at security@synology.com.

Update Availability

To fix the security issue, please update DSM 6.1 to 6.1.3-15152-6 or above, DSM 6.0 to CVE-2017-13078 or above and SRM 1.1 to 1.1.5-6542-2 or above.

For DSM 5.2 please update DSM to 6.0.3-8754-6 or above.

Reference