Dnsmasq Security Update
Products Affected: AER31x0, AER2100, AER16x0, IBR11x0, IBR9x0, IBR6x0, IBR6x0B, IBR6x0C, IBR350, CBA850, and MBR1200B. Click here to identify your router.
Cradlepoint was notified of critical security vulnerabilities discovered in the dnsmasq network service (CVE-2017-14491 and others); in response Cradlepoint has taken steps to incorporate the dnsmasq version 2.78 into its latest NetCloud OS.
If exploited, this vulnerability could allow attackers to remotely execute code, forward the contents of process memory, or disrupt service on an affected router. As described in various sources, this flaw is difficult to trigger, requiring an attacker who controls a specific domain to send DNS requests to dnsmasq requiring it to cache replies from that domain. Through carefully constructing DNS requests and responses, dnsmasq could cause an internal buffer overflow using content influenced by the attacker.
More details can be found here: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html.
Cradlepoint recommends customers immediately upgrade products to the upcoming NetCloud OS versions (available 10/30/17) to mitigate this vulnerability. All router products are affected, including:
• AER3100 / AER3150
• AER1600 / AER1650
• IBR1100 / IBR1150
• IBR900 / IBR950
• IBR600 / IBR650
• IBR600B / IBR650B
• IBR600C / IBR650C
NOTE: Routers used in default configuration were not exposed on their WAN interfaces. Routers were exposed to their Local Network, including the Guest LAN (if enabled).
NetCloud Manager has been patched for all its own affected services. Usernames and passwords are not at risk.
NetCloud OS Patch
6.4.2 (Available 10/30/17) – All products listed above
6.4.3 (Available 12/11/17) - IBR900/IBR950 - FIPS
Remote NetCloud OS Upgrades
For remote devices, Cradlepoint recommends using NetCloud Manager to upgrade NetCloud OS, manage networks intelligently, and avoid costly truck rolls. If you haven’t deployed NetCloud Manager, you can start a free 30-day trial of NetCloud Manager today.
Local NetCloud OS Upgrades
For information on updating NCOS locally on the Cradlepoint please consult the below articles.
NCOS: Automatic NetCloud OS Update
NCOS: How to update the NCOS of a Cradlepoint router.
Interim Mitigation Until NetCloud OS Release
Because malicious tools could be used to obtain passwords during this period, Cradlepoint recommends the following steps to protect your network during the interim:
- Disable Guest Access via the NETWORKING > Local Networks > Local IP Networks tab.
Once NetCloud OS 6.4.2 or 6.4.3 is Available
1. Upgrade to the latest NetCloud OS version
2. Re-enable Guest Access if it was disabled
At Cradlepoint, protecting your network is our first priority. We will continue to monitor this situation and provide updates as appropriate.
Should you have any further questions, please contact Support by opening a case at https://portal.cradlepoint.com.
Published Date: 10/6/17
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.