Bug 1764425 (CVE-2019-14834)

Summary: CVE-2019-14834 dnsmasq: memory leak in the create_helper() function in /src/helper.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: code, dbecker, dominik.mierzejewski, dougsland, itamar, jima, jjoyce, jschluet, kbasil, laine, lhh, lpeer, mburns, p, pemensik, psampaio, ravpatil, sclewis, security-response-team, slinaber, thozza, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Dnsmasq application where a remote attacker can trigger a memory leak by sending specially crafted DHCP responses to the server. A successful attack is dependent on a specific configuration regarding the domain name set into the dnsmasq.conf file. Over time, the memory leak may cause the process to run out of memory and terminate, causing a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:34:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1764426, 1795369, 1795370    
Bug Blocks: 1748230    

Description Dhananjay Arunesh 2019-10-23 04:13:39 UTC
A vulnerability was found in dnsmsq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.

Upstream patch:

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69bc94779c2f035a9fffdb5327a54c3aeca73ed5

References:

http://www.thekelleys.org.uk/dnsmasq/doc.html

Comment 1 Dhananjay Arunesh 2019-10-23 04:16:37 UTC
Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1764426]

Comment 3 Joshua Padman 2019-12-13 00:25:39 UTC
Statement:

In Red Hat OpenStack Platform, which currently supports Red Hat Enterprise Linux 7.7, the dnsmasq package is pulled directly from the rhel-7-server-rpms channel. Red Hat OpenStack Platform's version is therefore unused, please ensure that the underlying Red Hat Enterprise Linux dnsmasq package is current.

Comment 6 Marco Benatto 2020-01-28 13:27:12 UTC
There's a flaw on dnsmasq which allows an attacker to cause DoS by sending specially crafted DHCP responses. The malicious responses triggers a memory leak on create_helper() function under certain conditions leading the process to run out of memory.
The availability impact is considered High as it denies the service for all users/systems depending on the affected dnsmasq instance, however the Attack Complexity can be considered High as a successful attack depends on a specific configuration.

Comment 7 Marco Benatto 2020-01-29 13:34:48 UTC
Acknowledgments:

Name: Xu Mingjie (varas@IIE)

Comment 8 Tomáš Hozza 2020-02-17 11:16:47 UTC
Hi. Do we have a reproducer?

Comment 9 Doran Moppert 2020-02-18 23:45:43 UTC
We don't have a reproducer; making a reliable one for QE would be a lot of work when the patch is so straightforward :).

Comment 10 errata-xmlrpc 2020-04-28 15:44:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1715 https://access.redhat.com/errata/RHSA-2020:1715

Comment 11 Product Security DevOps Team 2020-04-28 16:34:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14834

Comment 14 errata-xmlrpc 2020-09-29 19:30:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3878 https://access.redhat.com/errata/RHSA-2020:3878