Vulnerabilities > CVE-2015-3294 - Data Processing Errors vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- XML Nested Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
- XML Oversized Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
- XML Client-Side Attack Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
- XML Parser Attack Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2617-1.NASL description This update for dnsmasq fixes the following security issues : - CVE-2017-14491: 2 byte heap based overflow. [bsc#1060354] - CVE-2017-14492: heap based overflow. [bsc#1060355] - CVE-2017-14493: stack based overflow. [bsc#1060360] - CVE-2017-14494: DHCP - info leak. [bsc#1060361] - CVE-2017-14495: DNS - OOM DoS. [bsc#1060362] - CVE-2017-14496: DNS - DoS Integer underflow. [bsc#1060364] This update brings a (small) potential incompatibility in the handling of last seen 2020-05-09 modified 2017-10-03 plugin id 103638 published 2017-10-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103638 title SUSE SLES11 Security Update : dnsmasq (SUSE-SU-2017:2617-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-359.NASL description The DNS server dnsmasq was updated to fix one security issue. The following vulnerability was fixed : - CVE-2015-3294: A remote unauthenticated attacker could have caused a denial of service (DoS) or read heap memory, potentially disclosing information such as performed DNS queries or encryption keys. (bsc#928867) last seen 2020-06-05 modified 2015-05-13 plugin id 83398 published 2015-05-13 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83398 title openSUSE Security Update : dnsmasq (openSUSE-2015-359) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2616-1.NASL description This update for dnsmasq fixes the following issues. Remedy the following security issues : - CVE-2017-14491: 2 byte heap based overflow. [bsc#1060354] - CVE-2017-14492: heap based overflow. [bsc#1060355] - CVE-2017-14493: stack based overflow. [bsc#1060360] - CVE-2017-14494: DHCP - info leak. [bsc#1060361] - CVE-2017-14495: DNS - OOM DoS. [bsc#1060362] - CVE-2017-14496: DNS - DoS Integer underflow. [bsc#1060364] - Prevent a man-in-the-middle attack (bsc#972164, fate#321175). Furthermore, the following issues have been fixed : - Fix DHCP relaying, broken in 2.76 and 2.77. - Update to version 2.78 (fate#321175, fate#322030, bsc#1035227). - Fix PXE booting for UEFI architectures (fate#322030). - Drop PrivateDevices=yes which breaks logging (bsc#902511, bsc#904537) - Build with support for DNSSEC (fate#318323, bsc#908137). Please note that this update brings a (small) potential incompatibility in the handling of last seen 2020-05-09 modified 2017-10-03 plugin id 103637 published 2017-10-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103637 title SUSE SLES12 Security Update : dnsmasq (SUSE-SU-2017:2616-1) NASL family DNS NASL id DNSMASQ_DOS-CVE-2015-3294.NASL description The remote dnsmasq server is running a version prior to 2.73rc4. It is, therefore, affected by an information disclosure vulnerability due not properly checking the return value from the setup_reply() function during TCP connections. An unauthenticated, remote attacker can exploit this to disclose sensitive information. last seen 2020-06-01 modified 2020-06-02 plugin id 87596 published 2015-12-22 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87596 title dnsmasq < 2.73rc4 setup_reply() Function Return Value Checking Information Disclosure NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1015-1.NASL description The DNS server dnsmasq was updated to fix one security issue and one non-security bug : CVE-2015-3294: A remote unauthenticated attacker could have caused a denial of service (DoS) or read memory from the heap, potentially disclosing information such as performed DNS queries or encryption keys. (bsc#928867) bsc#923144: When answer to an upstream query is a CNAME pointing to an A/AAAA record which is present locally (/etc/hosts), allow caching when the upstream and local A/AAAA records have the same value. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84081 published 2015-06-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84081 title SUSE SLED11 / SLES11 Security Update : dnsmasq (SUSE-SU-2015:1015-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1044.NASL description According to the versions of the dnsmasq package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines. - Security Fix(es) - The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request.(CVE-2015-3294) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-05-01 plugin id 99807 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99807 title EulerOS 2.0 SP1 : dnsmasq (EulerOS-SA-2016-1044) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2593-1.NASL description Nick Sampanis discovered that Dnsmasq incorrectly handled certain malformed DNS requests. A remote attacker could use this issue to cause Dnsmasq to crash, resulting in a denial of service, or possibly obtain sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83252 published 2015-05-05 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83252 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : dnsmasq vulnerability (USN-2593-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0979-1.NASL description The DNS server dnsmasq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed : - CVE-2015-3294: A remote unauthenticated attacker could have caused a denial of service (DoS) or read heap memory, potentially disclosing information such as performed DNS queries or encryption keys. (bsc#928867) The following bug was fixed : - bsc#923144: When answer to an upstream query is a CNAME pointing to an A/AAAA record which is present locally (/etc/hosts), allow caching when the upstream and local A/AAAA records have the same value. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83948 published 2015-06-02 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83948 title SUSE SLED12 / SLES12 Security Update : dnsmasq (SUSE-SU-2015:0979-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3251.NASL description Nick Sampanis discovered that dnsmasq, a small caching DNS proxy and DHCP/TFTP server, did not properly check the return value of the setup_reply() function called during a TCP connection, which is used then as a size argument in a function which writes data on the client last seen 2020-06-01 modified 2020-06-02 plugin id 83253 published 2015-05-06 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83253 title Debian DSA-3251-1 : dnsmasq - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201512-01.NASL description The remote host is affected by the vulnerability described in GLSA-201512-01 (Dnsmasq: Denial of Service) An out-of-bounds read vulnerability has been found in the tcp_request function in Dnsmasq. Impact : A remote attacker could send a specially crafted DNS request, possibly resulting in a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 87484 published 2015-12-18 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87484 title GLSA-201512-01 : Dnsmasq: Denial of Service NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_37569EB7012511E59D98080027EF73EC.NASL description Nick Sampanis reported a potential memory exposure and denial of service vulnerability against dnsmasq 2.72. The CVE entry summarizes this as : The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request. last seen 2020-06-01 modified 2020-06-02 plugin id 83793 published 2015-05-26 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83793 title FreeBSD : dnsmasq -- data exposure and denial of service (37569eb7-0125-11e5-9d98-080027ef73ec) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2619-1.NASL description This update for dnsmasq fixes the following security issues : - CVE-2017-14491: 2 byte heap based overflow. [bsc#1060354] - CVE-2017-14492: heap based overflow. [bsc#1060355] - CVE-2017-14493: stack based overflow. [bsc#1060360] - CVE-2017-14494: DHCP - info leak. [bsc#1060361] - CVE-2017-14495: DNS - OOM DoS. [bsc#1060362] - CVE-2017-14496: DNS - DoS Integer underflow. [bsc#1060364] This update brings a (small) potential incompatibility in the handling of last seen 2020-05-09 modified 2017-10-03 plugin id 103640 published 2017-10-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103640 title SUSE SLES11 Security Update : dnsmasq (SUSE-SU-2017:2619-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-225.NASL description The following vulnerability vulnerability was found in dnsmasq : CVE-2015-3294 Remote attackers could read process memory and cause DoS via malformed DNS requests. For Debian 6 last seen 2020-03-17 modified 2015-05-21 plugin id 83747 published 2015-05-21 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83747 title Debian DLA-225-1 : dnsmasq security update
References
- http://lists.opensuse.org/opensuse-updates/2015-05/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2015-05/msg00013.html
- http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
- http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
- http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009387.html
- http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009387.html
- http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commitdiff%3Bh=ad4a8ff7d9097008d7623df8543df435bfddeac8
- http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commitdiff%3Bh=ad4a8ff7d9097008d7623df8543df435bfddeac8
- http://www.debian.org/security/2015/dsa-3251
- http://www.debian.org/security/2015/dsa-3251
- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
- http://www.securityfocus.com/archive/1/535354/100/1100/threaded
- http://www.securityfocus.com/archive/1/535354/100/1100/threaded
- http://www.securityfocus.com/bid/74452
- http://www.securityfocus.com/bid/74452
- http://www.securitytracker.com/id/1032195
- http://www.securitytracker.com/id/1032195
- http://www.ubuntu.com/usn/USN-2593-1
- http://www.ubuntu.com/usn/USN-2593-1
- https://security.gentoo.org/glsa/201512-01
- https://security.gentoo.org/glsa/201512-01