Dnsmasq vulnerability puts home routers and IoT devices at risk

Vulnerability researchers at Google have uncovered exploitable software flaws in code running on internet-connected devices that could allow a malicious hacker to run remotely any code of their choosing.

The Dnsmasq network services software, popular because of its easy configuratiuon and low impact on resources, is commonly pre-installed on a wide variety of systems, including Linux distributions, home routers and IoT devices.

In a blog post published on Monday, Google researchers explained how it had discovered “seven distinct issues” in Dnsmasq while conducting a regular internal security review.

One of the flaws is described as a “trivial-to-exploit” DHCP-based buffer overflow vulnerability, that can be combined with another information-leaking exploit to bypass protection systems and gain remote code execution.

In short, an attacker could exploit the flaws to execute malicious code on a vulnerable device and hijack it for their own purposes. As we’ve seen many times in the past, malicious hackers find it all too easy to seize control of poorly-secured IoT devices to assist them in their criminal activities such as distributed denial-of-service (DDoS) attacks.

In this particular instance, an attacker may have to be a little more creative than normal to exploit vulnerable devices – but you still don’t want at-risk devices on your network do you?

A search on Shodan reveals that there are approximately 1.1 million internet-facing devices currently running Dnsmasq services.

Google’s research team says that after it recognised the severity of the issue, it worked with the maintainer of Dnsmasq to produce fixes, which have since been released as version 2.78. Furthermore, patches have been included in the Android monthly security update for October.

My concern is that some manufacturers are selling IoT devices and routers at a very low price, making tiny margins. As a result, some will feel little incentive to develop and push out a patch to their userbase – if indeed any updating infrastructure is available at all.

As always, be sure to pester your firmware manufacturers for updates, or consider voting with your wallet – boycotting those vendors who are failing to keep your IoT devices patched against the latest vulnerabilities.


  • By Pezno Fizzeen - Reply

    “…consider voting with your wallet – boycotting those vendors who are failing to keep your IoT devices patched against the latest vulnerabilities.”

    I had to chuckle when I read that. Maybe router manufacturers might issue patches, but the same nearly total ignorance of best security practices that is common to the vast majority of producers who are jumping into the IoT devices fad suggests that it’s a futile hope to expect patches from them.

    The problem is actually worse than that. A boycott only works if enough people do it, and the same ignorance common to IoT device makers is epidemic among consumers. I would wager that most of the folks who think all these IoT gizmos are just so cool don’t even think about security. I doubt most of them even subscribe to a security blog or newsletter.

    It takes an unusually enlightened person to pester “firmware manufacturers for updates” or boycott products that don’t measure up security-wise. Unfortunately, such people are, in my experience, a minority.

    • By coyote - Reply

      Knowing Graham he probably was saying you get what you pay for. Based on the context it seems entirely likely too: particularly the paragraph immediately before the one you quote.

      You’re right that the average (majority) users of IoT devices won’t care and most won’t even know; most probably don’t even know there is a term for the scary amount of devices connected to the Internet (and they probably think it’s only exciting and wonderful; nothing scary about it)! You’re right: the people who are aware of these things and do care are in a minority; an extremely small minority at that. That makes it all the more scary.

  • Add Comment

    Your email address will not be published. Required fields are marked *