In October 2017, vulnerabilities were published for Dnsmasq, a lightweight DNS forwarder. These following vulnerabilities that affect the data-plane DNS services of A10 EX Series products are addressed in this document. End of Life Notices  were issued for EX Series products between 2010 and 2015.
|Item #||Vulnerability ID||Score Source||Score||Summary|
|1||CVE-2017-13704||CVSS 3.0||7.5 High||dnsmasq: Size parameter overflow via large DNS query |
|2||CVE-2017-14491||CVSS 3.0||9.8 Critical||dnsmasq: heap overflow in the code responsible for building DNS replies |
The table below indicates releases of EX Series software exposed to these vulnerabilities and EX Series software releases that address them. EX Series release families not indicated below are unaffected by these vulnerabilities.
Customers using affected EX Series releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no EX Series release update is currently available.
|Releases Affected||Releases Resolved or Unaffected|
2.2.0 – 2.2.1
- none -
3.0.0 – 3.0.2
- none -
3.1.0 – 3.1.0 Update 4
- none -
3.2.0 – 3.2.0 Update 2
- none -
Apply the following alternate workarounds as mitigations for these vulnerabilities.
1. If all DNS requests/replies that relate to "inbound" traffic are forwarded by the EX system, disable DNS services in the EX system with the following EX configuration operations.
2. If the EX DNS service is configured to only resolve domains used by inbound LLB, ensure that the service is not configured to work as a DNS proxy with the following EX configuration operations.
3. Use DNS Servers under the company's control that are deemed to be trusted (safe) and not a potential source of malicious, crafted DNS responses such as involved with this vulnerability.
Software updates that address these vulnerabilities are or will be published at the following URL:
The following table shares brief descriptions for the vulnerabilities addressed in this document.
|Vulnerability ID||Vulnerability Description|
In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash.
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.
October 09, 2018
© Copyright 2018 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.