ID CVE-2012-3411
Summary Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
References
Vulnerable Configurations
  • thekelleys dnsmasq 0.4
    cpe:2.3:a:thekelleys:dnsmasq:0.4
  • thekelleys dnsmasq 0.6
    cpe:2.3:a:thekelleys:dnsmasq:0.6
  • thekelleys dnsmasq 0.5
    cpe:2.3:a:thekelleys:dnsmasq:0.5
  • thekelleys dnsmasq 0.95
    cpe:2.3:a:thekelleys:dnsmasq:0.95
  • thekelleys dnsmasq 0.7
    cpe:2.3:a:thekelleys:dnsmasq:0.7
  • thekelleys dnsmasq 0.98
    cpe:2.3:a:thekelleys:dnsmasq:0.98
  • thekelleys dnsmasq 0.96
    cpe:2.3:a:thekelleys:dnsmasq:0.96
  • thekelleys dnsmasq 0.996
    cpe:2.3:a:thekelleys:dnsmasq:0.996
  • thekelleys dnsmasq 0.992
    cpe:2.3:a:thekelleys:dnsmasq:0.992
  • thekelleys dnsmasq 1.2
    cpe:2.3:a:thekelleys:dnsmasq:1.2
  • thekelleys dnsmasq 1.0
    cpe:2.3:a:thekelleys:dnsmasq:1.0
  • thekelleys dnsmasq 1.4
    cpe:2.3:a:thekelleys:dnsmasq:1.4
  • thekelleys dnsmasq 1.3
    cpe:2.3:a:thekelleys:dnsmasq:1.3
  • thekelleys dnsmasq 2.25
    cpe:2.3:a:thekelleys:dnsmasq:2.25
  • thekelleys dnsmasq 2.14
    cpe:2.3:a:thekelleys:dnsmasq:2.14
  • thekelleys dnsmasq 2.15
    cpe:2.3:a:thekelleys:dnsmasq:2.15
  • thekelleys dnsmasq 2.12
    cpe:2.3:a:thekelleys:dnsmasq:2.12
  • thekelleys dnsmasq 2.13
    cpe:2.3:a:thekelleys:dnsmasq:2.13
  • thekelleys dnsmasq 2.10
    cpe:2.3:a:thekelleys:dnsmasq:2.10
  • thekelleys dnsmasq 2.11
    cpe:2.3:a:thekelleys:dnsmasq:2.11
  • thekelleys dnsmasq 2.8
    cpe:2.3:a:thekelleys:dnsmasq:2.8
  • thekelleys dnsmasq 2.9
    cpe:2.3:a:thekelleys:dnsmasq:2.9
  • thekelleys dnsmasq 2.6
    cpe:2.3:a:thekelleys:dnsmasq:2.6
  • thekelleys dnsmasq 2.7
    cpe:2.3:a:thekelleys:dnsmasq:2.7
  • thekelleys dnsmasq 2.4
    cpe:2.3:a:thekelleys:dnsmasq:2.4
  • thekelleys dnsmasq 2.5
    cpe:2.3:a:thekelleys:dnsmasq:2.5
  • thekelleys dnsmasq 2.22
    cpe:2.3:a:thekelleys:dnsmasq:2.2
  • thekelleys dnsmasq 2.3
    cpe:2.3:a:thekelleys:dnsmasq:2.3
  • thekelleys dnsmasq 2.1
    cpe:2.3:a:thekelleys:dnsmasq:2.1
  • thekelleys dnsmasq 2.0
    cpe:2.3:a:thekelleys:dnsmasq:2.0
  • thekelleys dnsmasq 1.18
    cpe:2.3:a:thekelleys:dnsmasq:1.18
  • thekelleys dnsmasq 1.17
    cpe:2.3:a:thekelleys:dnsmasq:1.17
  • thekelleys dnsmasq 1.16
    cpe:2.3:a:thekelleys:dnsmasq:1.16
  • thekelleys dnsmasq 1.15
    cpe:2.3:a:thekelleys:dnsmasq:1.15
  • thekelleys dnsmasq 1.14
    cpe:2.3:a:thekelleys:dnsmasq:1.14
  • thekelleys dnsmasq 1.13
    cpe:2.3:a:thekelleys:dnsmasq:1.13
  • thekelleys dnsmasq 1.12
    cpe:2.3:a:thekelleys:dnsmasq:1.12
  • thekelleys dnsmasq 1.11
    cpe:2.3:a:thekelleys:dnsmasq:1.11
  • thekelleys dnsmasq 1.10
    cpe:2.3:a:thekelleys:dnsmasq:1.10
  • thekelleys dnsmasq 1.9
    cpe:2.3:a:thekelleys:dnsmasq:1.9
  • thekelleys dnsmasq 1.8
    cpe:2.3:a:thekelleys:dnsmasq:1.8
  • thekelleys dnsmasq 1.7
    cpe:2.3:a:thekelleys:dnsmasq:1.7
  • thekelleys dnsmasq 1.6
    cpe:2.3:a:thekelleys:dnsmasq:1.6
  • thekelleys dnsmasq 1.5
    cpe:2.3:a:thekelleys:dnsmasq:1.5
  • thekelleys dnsmasq 2.45
    cpe:2.3:a:thekelleys:dnsmasq:2.45
  • thekelleys dnsmasq 2.46
    cpe:2.3:a:thekelleys:dnsmasq:2.46
  • thekelleys dnsmasq 2.47
    cpe:2.3:a:thekelleys:dnsmasq:2.47
  • thekelleys dnsmasq 2.48
    cpe:2.3:a:thekelleys:dnsmasq:2.48
  • thekelleys dnsmasq 2.41
    cpe:2.3:a:thekelleys:dnsmasq:2.41
  • thekelleys dnsmasq 2.42
    cpe:2.3:a:thekelleys:dnsmasq:2.42
  • thekelleys dnsmasq 2.43
    cpe:2.3:a:thekelleys:dnsmasq:2.43
  • thekelleys dnsmasq 2.44
    cpe:2.3:a:thekelleys:dnsmasq:2.44
  • thekelleys dnsmasq 2.49
    cpe:2.3:a:thekelleys:dnsmasq:2.49
  • thekelleys dnsmasq 2.22
    cpe:2.3:a:thekelleys:dnsmasq:2.22
  • thekelleys dnsmasq 2.40
    cpe:2.3:a:thekelleys:dnsmasq:2.40
  • thekelleys dnsmasq 2.35
    cpe:2.3:a:thekelleys:dnsmasq:2.35
  • thekelleys dnsmasq 2.36
    cpe:2.3:a:thekelleys:dnsmasq:2.36
  • thekelleys dnsmasq 2.37
    cpe:2.3:a:thekelleys:dnsmasq:2.37
  • thekelleys dnsmasq 2.38
    cpe:2.3:a:thekelleys:dnsmasq:2.38
  • thekelleys dnsmasq 2.39
    cpe:2.3:a:thekelleys:dnsmasq:2.39
  • thekelleys dnsmasq 2.31
    cpe:2.3:a:thekelleys:dnsmasq:2.31
  • thekelleys dnsmasq 2.30
    cpe:2.3:a:thekelleys:dnsmasq:2.30
  • thekelleys dnsmasq 2.34
    cpe:2.3:a:thekelleys:dnsmasq:2.34
  • thekelleys dnsmasq 2.32
    cpe:2.3:a:thekelleys:dnsmasq:2.33
  • thekelleys dnsmasq 2.27
    cpe:2.3:a:thekelleys:dnsmasq:2.27
  • thekelleys dnsmasq 2.26
    cpe:2.3:a:thekelleys:dnsmasq:2.26
  • thekelleys dnsmasq 2.29
    cpe:2.3:a:thekelleys:dnsmasq:2.29
  • thekelleys dnsmasq 2.28
    cpe:2.3:a:thekelleys:dnsmasq:2.28
  • thekelleys dnsmasq 2.21
    cpe:2.3:a:thekelleys:dnsmasq:2.21
  • thekelleys dnsmasq 2.20
    cpe:2.3:a:thekelleys:dnsmasq:2.20
  • thekelleys dnsmasq 2.24
    cpe:2.3:a:thekelleys:dnsmasq:2.24
  • thekelleys dnsmasq 2.23
    cpe:2.3:a:thekelleys:dnsmasq:2.23
  • thekelleys dnsmasq 2.17
    cpe:2.3:a:thekelleys:dnsmasq:2.17
  • thekelleys dnsmasq 2.16
    cpe:2.3:a:thekelleys:dnsmasq:2.16
  • thekelleys dnsmasq 2.19
    cpe:2.3:a:thekelleys:dnsmasq:2.19
  • thekelleys dnsmasq 2.18
    cpe:2.3:a:thekelleys:dnsmasq:2.18
  • thekelleys dnsmasq 2.50
    cpe:2.3:a:thekelleys:dnsmasq:2.50
  • thekelleys dnsmasq 2.51
    cpe:2.3:a:thekelleys:dnsmasq:2.51
  • thekelleys dnsmasq 2.52
    cpe:2.3:a:thekelleys:dnsmasq:2.52
  • thekelleys dnsmasq 2.53
    cpe:2.3:a:thekelleys:dnsmasq:2.53
  • thekelleys dnsmasq 2.54
    cpe:2.3:a:thekelleys:dnsmasq:2.54
  • thekelleys dnsmasq 2.55
    cpe:2.3:a:thekelleys:dnsmasq:2.55
  • thekelleys dnsmasq 2.56
    cpe:2.3:a:thekelleys:dnsmasq:2.56
  • thekelleys dnsmasq 2.57
    cpe:2.3:a:thekelleys:dnsmasq:2.57
  • thekelleys dnsmasq 2.58
    cpe:2.3:a:thekelleys:dnsmasq:2.58
  • thekelleys dnsmasq 2.59
    cpe:2.3:a:thekelleys:dnsmasq:2.59
  • thekelleys dnsmasq 2.60
    cpe:2.3:a:thekelleys:dnsmasq:2.60
  • thekelleys dnsmasq 2.61
    cpe:2.3:a:thekelleys:dnsmasq:2.61
  • thekelleys dnsmasq 2.62
    cpe:2.3:a:thekelleys:dnsmasq:2.62
  • thekelleys dnsmasq
    cpe:2.3:a:thekelleys:dnsmasq
CVSS
Base: 5.0 (as of 06-03-2013 - 08:42)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-20531.NASL
    description - Fix conflict with NM launched dnsmasq (bz #886663) - Rebased to version 0.9.11.8 - CVE-2012-3411: avoid open DNS proxy with dnsmasq (bz #874702, bz #882309) - Don't ignore address for USB disks (bz #861309) - Fix error with blkdeviotune (bz #872582) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 63375
    published 2013-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63375
    title Fedora 17 : libvirt-0.9.11.8-2.fc17 (2012-20531)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-20577.NASL
    description - Fix scriplet warning when uninstalling libvirt-client (bz #888071) - Fix conflict with NM launched dnsmasq (bz #886663) - Fix selinux denials when launching non-kvm qemu guests (bz #885837) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 63311
    published 2012-12-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63311
    title Fedora 18 : libvirt-0.10.2.2-3.fc18 (2012-20577)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201406-24.NASL
    description The remote host is affected by the vulnerability described in GLSA-201406-24 (Dnsmasq: Denial of Service) When used with certain libvirt configurations Dnsmasq replies to queries from prohibited interfaces. Impact : A remote attackers can cause a Denial of Service via spoofed TCP based DNS queries. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 76226
    published 2014-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76226
    title GLSA-201406-24 : Dnsmasq: Denial of Service
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0579.NASL
    description An updated rhev-hypervisor6 package that fixes three security issues, various bugs, and adds an enhancement is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges on the host. (CVE-2013-0311) It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only. (CVE-2012-4542) It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks. (CVE-2012-3411) The CVE-2012-4542 issue was discovered by Paolo Bonzini of Red Hat. This updated package provides updated components that include fixes for several security issues. These issues had no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2012-3955 (dhcp issue) CVE-2011-4355 (gdb issue) CVE-2012-4508, CVE-2013-0190, CVE-2013-0309, and CVE-2013-0310 (kernel issues) CVE-2012-5536 (openssh issue) CVE-2011-3148 and CVE-2011-3149 (pam issues) CVE-2013-0157 (util-linux-ng issue) This updated Red Hat Enterprise Virtualization Hypervisor package also fixes the following bugs : * Previously, the Administration Portal would always display the option to upgrade the Red Hat Enterprise Virtualization Hypervisor ISO regardless of whether or not the selected host was up-to-date. Now, the VDSM version compatibility is considered and the upgrade message only displays if there is an upgrade relevant to the host available. (BZ#853092) * An out of date version of libvirt was included in the Red Hat Enterprise Virtualization Hypervisor 6.4 package. As a result, virtual machines with supported CPU models were not being properly parsed by libvirt and failed to start. A more recent version of libvirt has been included in this updated hypervisor package. Virtual machines now start normally. (BZ#895078) As well, this update adds the following enhancement : * Hypervisor packages now take advantage of the installonlypkg function provided by yum. This allows for multiple versions of the hypervisor package to be installed on a system concurrently without making changes to the yum configuration as was previously required. (BZ#863579) This update includes the ovirt-node build from RHBA-2013:0556 : https://rhn.redhat.com/errata/RHBA-2013-0556.html Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which fixes these issues and adds this enhancement.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 78950
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78950
    title RHEL 6 : rhev-hypervisor6 (RHSA-2013:0579)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-072.NASL
    description Updated dnsmasq packages fix security vulnerabilities : When dnsmasq before 2.63 is used in conjunctions with certain configurations of libvirtd, network packets from prohibited networks (e.g. packets that should not be passed in) may be sent to the dnsmasq application and processed. This can result in DNS amplification attacks for example (CVE-2012-3411). This update adds a new option --bind-dynamic which is immune to this problem. Updated dnsmasq packages fix security vulnerabilities (CVE-2013-0198) : This update completes the fix for CVE-2012-3411 provided with dnsmasq-2.63. It was found that after the upstream patch for CVE-2012-3411 issue was applied, dnsmasq still : - replied to remote TCP-protocol based DNS queries (UDP protocol ones were corrected, but TCP ones not) from prohibited networks, when the --bind-dynamic option was used, - when --except-interface lo option was used dnsmasq didn't answer local or remote UDP DNS queries, but still allowed TCP protocol based DNS queries, - when --except-interface lo option was not used local / remote TCP DNS queries were also still answered by dnsmasq. This update fix these three cases.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 66086
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66086
    title Mandriva Linux Security Advisory : dnsmasq (MDVSA-2013:072)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1357.NASL
    description From dnsmasq's CHANGELOG : Add code to make behaviour for TCP DNS requests that same as for UDP requests, when a request arrives for an allowed address, but via a banned interface. This change is only active on Linux, since the relevant API is missing (AFAIK) on other platforms. - dnsmasq now answers local queries if --except-interface lo is used (libvirt's use case). - dnsmasq is now built with $RPM_OPT_FLAGS, $RPM_LD_FLAGS explicitly. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 64592
    published 2013-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64592
    title Fedora 18 : dnsmasq-2.65-4.fc18 (2013-1357)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0276.NASL
    description Updated libvirt packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was discovered that libvirt made certain invalid assumptions about dnsmasq's command line options when setting up DNS masquerading for virtual machines, resulting in dnsmasq incorrectly processing network packets from network interfaces that were intended to be prohibited. This update includes the changes necessary to call dnsmasq with a new command line option, which was introduced to dnsmasq via RHSA-2013:0277. (CVE-2012-3411) In order for libvirt to be able to make use of the new command line option (--bind-dynamic), updated dnsmasq packages need to be installed. Refer to RHSA-2013:0277 for additional information. These updated libvirt packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of libvirt are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 65132
    published 2013-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65132
    title CentOS 6 : libvirt (CESA-2013:0276)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1320.NASL
    description From dnsmasq's CHANGELOG : Add code to make behaviour for TCP DNS requests that same as for UDP requests, when a request arrives for an allowed address, but via a banned interface. This change is only active on Linux, since the relevant API is missing (AFAIK) on other platforms. - dnsmasq now answers local queries if --except-interface lo is used (libvirt's use case). - dnsmasq is now built with $RPM_OPT_FLAGS, $RPM_LD_FLAGS explicitly. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 64672
    published 2013-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64672
    title Fedora 17 : dnsmasq-2.65-4.fc17 (2013-1320)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0277.NASL
    description Updated dnsmasq packages that fix one security issue, one bug, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks. (CVE-2012-3411) In order to fully address this issue, libvirt package users are advised to install updated libvirt packages. Refer to RHSA-2013:0276 for additional information. This update also fixes the following bug : * Due to a regression, the lease change script was disabled. Consequently, the 'dhcp-script' option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the 'dhcp-script' option now works as expected. (BZ#815819) This update also adds the following enhancements : * Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt. (BZ#824214) * The dnsmasq init script used an incorrect Process Identifier (PID) in the 'stop', 'restart', and 'condrestart' commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of 'service dnsmasq' with 'stop' or 'restart' would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the 'stop', 'restart', and 'condrestart' commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling 'service dnsmasq' with 'stop' or 'restart' only the system one is stopped or restarted. (BZ#850944) * When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected. (BZ#887156) All users of dnsmasq are advised to upgrade to these updated packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 65133
    published 2013-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65133
    title CentOS 6 : dnsmasq (CESA-2013:0277)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0277.NASL
    description From Red Hat Security Advisory 2013:0277 : Updated dnsmasq packages that fix one security issue, one bug, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks. (CVE-2012-3411) In order to fully address this issue, libvirt package users are advised to install updated libvirt packages. Refer to RHSA-2013:0276 for additional information. This update also fixes the following bug : * Due to a regression, the lease change script was disabled. Consequently, the 'dhcp-script' option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the 'dhcp-script' option now works as expected. (BZ#815819) This update also adds the following enhancements : * Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt. (BZ#824214) * The dnsmasq init script used an incorrect Process Identifier (PID) in the 'stop', 'restart', and 'condrestart' commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of 'service dnsmasq' with 'stop' or 'restart' would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the 'stop', 'restart', and 'condrestart' commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling 'service dnsmasq' with 'stop' or 'restart' only the system one is stopped or restarted. (BZ#850944) * When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected. (BZ#887156) All users of dnsmasq are advised to upgrade to these updated packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68738
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68738
    title Oracle Linux 6 : dnsmasq (ELSA-2013-0277)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130221_DNSMASQ_ON_SL6_X.NASL
    description It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks. (CVE-2012-3411) In order to fully address this issue, libvirt package users are advised to install updated libvirt packages. This update also fixes the following bug : - Due to a regression, the lease change script was disabled. Consequently, the 'dhcp-script' option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the 'dhcp-script' option now works as expected. This update also adds the following enhancements : - Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt. - The dnsmasq init script used an incorrect Process Identifier (PID) in the 'stop', 'restart', and 'condrestart' commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of 'service dnsmasq' with 'stop' or 'restart' would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the 'stop', 'restart', and 'condrestart' commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling 'service dnsmasq' with 'stop' or 'restart' only the system one is stopped or restarted. - When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 64950
    published 2013-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64950
    title Scientific Linux Security Update : dnsmasq on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0276.NASL
    description Updated libvirt packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was discovered that libvirt made certain invalid assumptions about dnsmasq's command line options when setting up DNS masquerading for virtual machines, resulting in dnsmasq incorrectly processing network packets from network interfaces that were intended to be prohibited. This update includes the changes necessary to call dnsmasq with a new command line option, which was introduced to dnsmasq via RHSA-2013:0277. (CVE-2012-3411) In order for libvirt to be able to make use of the new command line option (--bind-dynamic), updated dnsmasq packages need to be installed. Refer to RHSA-2013:0277 for additional information. These updated libvirt packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of libvirt are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 64749
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64749
    title RHEL 6 : libvirt (RHSA-2013:0276)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0277.NASL
    description Updated dnsmasq packages that fix one security issue, one bug, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks. (CVE-2012-3411) In order to fully address this issue, libvirt package users are advised to install updated libvirt packages. Refer to RHSA-2013:0276 for additional information. This update also fixes the following bug : * Due to a regression, the lease change script was disabled. Consequently, the 'dhcp-script' option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the 'dhcp-script' option now works as expected. (BZ#815819) This update also adds the following enhancements : * Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt. (BZ#824214) * The dnsmasq init script used an incorrect Process Identifier (PID) in the 'stop', 'restart', and 'condrestart' commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of 'service dnsmasq' with 'stop' or 'restart' would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the 'stop', 'restart', and 'condrestart' commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling 'service dnsmasq' with 'stop' or 'restart' only the system one is stopped or restarted. (BZ#850944) * When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected. (BZ#887156) All users of dnsmasq are advised to upgrade to these updated packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 64750
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64750
    title RHEL 6 : dnsmasq (RHSA-2013:0277)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130221_LIBVIRT_ON_SL6_X.NASL
    description It was discovered that libvirt made certain invalid assumptions about dnsmasq's command line options when setting up DNS masquerading for virtual machines, resulting in dnsmasq incorrectly processing network packets from network interfaces that were intended to be prohibited. This update includes the changes necessary to call dnsmasq with a new command line option, which was introduced to dnsmasq via SLSA-2013:0277. (CVE-2012-3411) In order for libvirt to be able to make use of the new command line option (--bind-dynamic), updated dnsmasq packages need to be installed. Refer to SLSA-2013:0277 for additional information. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 64953
    published 2013-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64953
    title Scientific Linux Security Update : libvirt on SL6.x i386/x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-161.NASL
    description It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks. (CVE-2012-3411)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69720
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69720
    title Amazon Linux AMI : dnsmasq (ALAS-2013-161)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-12598.NASL
    description 2.63 release Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 62050
    published 2012-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62050
    title Fedora 17 : dnsmasq-2.63-1.fc17 (2012-12598)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0276.NASL
    description From Red Hat Security Advisory 2013:0276 : Updated libvirt packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was discovered that libvirt made certain invalid assumptions about dnsmasq's command line options when setting up DNS masquerading for virtual machines, resulting in dnsmasq incorrectly processing network packets from network interfaces that were intended to be prohibited. This update includes the changes necessary to call dnsmasq with a new command line option, which was introduced to dnsmasq via RHSA-2013:0277. (CVE-2012-3411) In order for libvirt to be able to make use of the new command line option (--bind-dynamic), updated dnsmasq packages need to be installed. Refer to RHSA-2013:0277 for additional information. These updated libvirt packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of libvirt are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68737
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68737
    title Oracle Linux 6 : libvirt (ELSA-2013-0276)
  • NASL family DNS
    NASL id DNSMASQ_DOS-CVE-2012-3411.NASL
    description The remote dnsmasq server is running a version prior to 2.63test1. It is, therefore, affected by a denial of service vulnerability in libvirtd due to improper parsing of malformed network packets. An unauthenticated, remote attacker can exploit this to cause an amplification of a large amount of DNS queries, resulting in a denial of service condition.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 87594
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87594
    title dnsmasq < 2.63test1 libvirtd TCP Network Packet Parsing Response DNS Amplification DoS
redhat via4
advisories
  • bugzilla
    id 896403
    title delete snapshot which name contain '/' lead to libvirtd crash
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment libvirt is earlier than 0:0.10.2-18.el6
          oval oval:com.redhat.rhsa:tst:20130276005
        • comment libvirt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581006
      • AND
        • comment libvirt-client is earlier than 0:0.10.2-18.el6
          oval oval:com.redhat.rhsa:tst:20130276009
        • comment libvirt-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581008
      • AND
        • comment libvirt-devel is earlier than 0:0.10.2-18.el6
          oval oval:com.redhat.rhsa:tst:20130276007
        • comment libvirt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581010
      • AND
        • comment libvirt-lock-sanlock is earlier than 0:0.10.2-18.el6
          oval oval:com.redhat.rhsa:tst:20130276013
        • comment libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581014
      • AND
        • comment libvirt-python is earlier than 0:0.10.2-18.el6
          oval oval:com.redhat.rhsa:tst:20130276011
        • comment libvirt-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581012
    rhsa
    id RHSA-2013:0276
    released 2013-02-21
    severity Moderate
    title RHSA-2013:0276: libvirt security, bug fix, and enhancement update (Moderate)
  • bugzilla
    id 884957
    title guest can not get NAT IP from dnsmasq-2.48-10
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment dnsmasq is earlier than 0:2.48-13.el6
          oval oval:com.redhat.rhsa:tst:20130277005
        • comment dnsmasq is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20130277006
      • AND
        • comment dnsmasq-utils is earlier than 0:2.48-13.el6
          oval oval:com.redhat.rhsa:tst:20130277007
        • comment dnsmasq-utils is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20130277008
    rhsa
    id RHSA-2013:0277
    released 2013-02-21
    severity Moderate
    title RHSA-2013:0277: dnsmasq security, bug fix and enhancement update (Moderate)
  • rhsa
    id RHSA-2013:0579
rpms
  • libvirt-0:0.10.2-18.el6
  • libvirt-client-0:0.10.2-18.el6
  • libvirt-devel-0:0.10.2-18.el6
  • libvirt-lock-sanlock-0:0.10.2-18.el6
  • libvirt-python-0:0.10.2-18.el6
  • dnsmasq-0:2.48-13.el6
  • dnsmasq-utils-0:2.48-13.el6
refmap via4
bid 54353
confirm
mandriva MDVSA-2013:072
misc
mlist [oss-security] 20120712 Re: Re: CVE Request -- dnsmasq: When being run by libvirt open DNS proxy (reachable out-of the virtual network set for the particular guest domain too) is created
Last major update 05-12-2013 - 00:15
Published 05-03-2013 - 16:38
Back to Top