Open source tools offer a lot of compelling advantages, with one of the biggest and most important being that they tend to have relatively fewer bugs and security flaws. The reason is that they’re open source initiatives, and anyone can dig into the source code and tweak it to make it better.
Unfortunately, there are exceptions to every rule, a fact that was brought into painful focus recently by a group of Google security researchers who found not one, not two, but a total of seven critical security flaws in an open source program called DNSMasq.
DNSMasq comes pre-installed on some Linux machines (Ubuntu and Debian) and is frequently used on home routers, smartphones and a variety of “smart” devices. Worldwide, there are approximately 1.1 million active installations.
Per the research team: “We discovered seven distinct issues over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of DNSMasq, Simon Kelley, to produce appropriate patches and mitigate the issue.”
Since all of the issues have been patched, Google has released the Proof-of-Concept exploit code for each of the bugs they found. Of them, three would have allowed a user to execute code remotely, and three others would have made it possible to commandeer a device so it could be used in a denial of service attack.
If you use DNSMasq, be sure you update your software to version 2.78 or later so that you’re using a version which contains the bug fixes. For Google’s part, they issued an update on Sept. 5, 2017 that fixes the issue on any Android device running the software.