ShapeBlue Security Advisory – DNSMasq Vulnerabilities

Overview

As you have likely heard, a number of security flaws were recently found in the DNSMasq tool. This tool is used by many systems to provide DNS and DHCP services, including by the CloudStack System VMs.

According to Google’s investigation into the software, out of seven issues, three — CVE-2017-14491, CVE-2017-14492, and CVE-2017-14493 — are remote code execution flaws caused by heap buffer overflow and stack buffer overflow errors through DHCP and DNS vectors.

Another issue, CVE-2017-14494, can be exploited to bypass the Address space layout randomization (ASLR) memory protection function, leading to information leaks.

In addition, three more bugs, CVE-2017-14495, CVE-2017-14496, and CVE-2017-13704, can lead to denial-of-service (DoS) attacks caused by invalid boundary checks, bug collision, and a coding issue.

Affect On CloudStack

CloudStack’s System VMs use DNSMasq to provide DNS and DHCP services to the guest VMs from the virtual routers.  These services are only exposed on the internal guest interface(s) of the virtual routers. Therefore a malicious user could compromise a virtual router to which they have a guest instance attached.

The Fix

On 9th October, an updated version of DNSMasq was released by the authors of DNSMasq for the Debian Wheezy Operating System which the CloudStack System VMs use.  We have created new versions of the System VM templates which should be used to replace your existing System VMs using the procedure described below.

A short-term fix for currently running System VMs (if they have internet access) is to log into the System VMs and run:

apt-get update
apt-get install dnsmasq dnsmasq-base dnsmasq-utils -y

For information on logging into System VMs please see: http://docs.cloudstack.apache.org/en/latest/administration_guide.html?#accessing-system-vms

The above procedure will patch existing virtual routers, but should a virtual router be destroyed and recreated or a new virtual router created, the subsequent virtual router will no longer be patched.

The full fix is to replace the existing System VM template(s) with the latest patched versions as well as recreating or patch existing virtual routers.

System VM Patching Procedure

ShapeBlue has built new System VM templates with updated DNSMasq for major CloudStack versions for XenServer, VMware and KVM hypervisors. We advise CloudStack users to upgrade to the appropriate System VM template and either

  1. Patch all existing virtual routers using the procedure above
    or
  2. Recreate all virtual routers using the procedure detailed in the link for updating system VM templates (below)

For ACS 4.10+: http://packages.shapeblue.com/systemvmtemplate/4.10/dnsmasq/
For ACS 4.6-4.9: http://packages.shapeblue.com/systemvmtemplate/4.6/dnsmasq/

The procedure for updating the system VM templates can be found here.

Further information

For ShapeBlue support customers, please contact the support team for further information.

For other CloudStack users, please use the community mailing lists.