You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Felipe Arturo Polanco <fe...@gmail.com> on 2017/10/10 18:37:38 UTC
Dnsmasq exploit, VR vulnerable?
Hello,
Researchers have found an exploit in dnsmasq code which allows code
execution, I was wondering if the Virtual Router uses Dnsmasq for DHCP
assignment and also how can we protect it from being exploited.
Will there be a new System VM with patches applied? or can we just apt-get
update the VR and the patch will be applied?
Thanks,
Re: Dnsmasq exploit, VR vulnerable?
Posted by Rafael Weingärtner <ra...@autonomiccs.com.br>.
The Dnsmasq security problem announced in [1] affects Apache CloudStack
(ACS) virtual routers (VRs). The steps for upgrading are as follows.
* For each type of hypervisor in use in the cloud you should check the
template in use. The parameter that indicates the template in use
is: router.template. <Hypervisor>. Thus, if you want to check the
template in use for XenServer, the parameter to be checked is:
router.template.xenserver. This parameter holds the name of the
template that is used by ACS to instantiate a VR.
* After identifying the templates you must execute the downloads of
them and start them in a player like Virtualbox. To access the
templates the user is "root" and the password "password". With the
VM running on the player (eg Virtualbox)
* Run: `aptitude update; aptitude install dnsmasq`
* After that, you must load (register) the updated templates in ACS
again. In the registration process it is necessary to mark the
templates with type "routing" and the option of "HVM" must be
deselected. In addition, you should not make this template public or
featured.
* With the new templates in ACS, you should change the parameters
"router.template. <Hypervisor>", to reflect the name of the newly
update template.
Doing that, the VR template will be updated with the Dnsmasq 2.62-3 +
deb7u4 package that contains the fix for the problem reported in [1].
However, this will only be valid for new VRs. To update the VRs already
running there are two possibilities: ( i) destroying them and waiting
for ACS to recreate them (this generates unavailability for users' VMs),
or (ii) accessing VRs and using the "aptitude update" ; aptitude install
dnsmasq "
[1]
https://coreos.com/blog/dns-vulnerability-patched-in-kubernetes-and-tectonic
On 10/10/2017 3:37 PM, Felipe Arturo Polanco wrote:
> Hello,
>
> Researchers have found an exploit in dnsmasq code which allows code
> execution, I was wondering if the Virtual Router uses Dnsmasq for DHCP
> assignment and also how can we protect it from being exploited.
>
> Will there be a new System VM with patches applied? or can we just apt-get
> update the VR and the patch will be applied?
>
> Thanks,
>
--
Rafael Weingärtner
Re: Dnsmasq exploit, VR vulnerable?
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Felipse,
We've worked with Simon Kelly (dnsmasq author, and debian maintainer) to get a security patch for dnsmasq [1] on Debian 7 (Wheezy) that is the base on ACS4.6-4.10+ systemvmtemplates.
As Rafael mentioned, you can in the meanwhile apt-get update+install dnsmasq and restart the service on your existing VRs. There is no change required in CloudStack to mitigate the issue, we are working on an advisory and new systemvmtemplates that should be made public soon.
[1] https://packages.debian.org/wheezy/dnsmasq
Regards.
________________________________
From: Felipe Arturo Polanco <fe...@gmail.com>
Sent: Wednesday, October 11, 2017 12:07:38 AM
To: users@cloudstack.apache.org
Subject: Dnsmasq exploit, VR vulnerable?
Hello,
Researchers have found an exploit in dnsmasq code which allows code
execution, I was wondering if the Virtual Router uses Dnsmasq for DHCP
assignment and also how can we protect it from being exploited.
Will there be a new System VM with patches applied? or can we just apt-get
update the VR and the patch will be applied?
Thanks,
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue