#VU31907 Resource exhaustion - CVE-2019-14834

Cybersecurity Help s.r.o.

Published: 2020-01-07 | Updated: 2020-07-27

Vulnerability identifier: #VU31907

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14834

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.

Mitigation
Install update from vendor's website.

External links
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69bc94779c2f035a9fffdb5327a54c3aeca73ed5
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14834
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JU474LT66BHNVFG5C4GEV3VTZNAEJ3BS/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for dnsmasq

Ubuntu update for dnsmasq

Red Hat Enterprise Linux 7 update for dnsmasq

Fedora 31 update for dnsmasq

Red Hat Enterprise Linux 8 update for dnsmasq

Resource exhaustion in dnsmasq (Alpine package)

OpenSUSE Linux update for dnsmasq