CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq

Posted by chizhik-pyzhik 17 hours ago

CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq(lists.thekelleys.org.uk)

321 points | 162 commentspage 2

sailfast 7 hours ago|

"hopefully they will be releasing patched versions of their dnsmasq packages in a timely manner."

Hopefully!

thenickdude 7 hours ago||

LXD uses dnsmasq to provide DHCP and DNS for containers I think? Viable container escape?

1vuio0pswjnm7 9 hours ago||

I never liked dnsmasq or the Pi-Hole dderivation and do not use it but many people seem to love this software. I don't think there is any amount of CVEs that could convince people to stop using it

PeterStuer 5 hours ago||

"The tsunami of AI-generated bug reports shows no signs of stopping, so it is likely that this process will have to be repeated again soon."

But, ai-deniers are telling us there is nothing to see ...

dist-epoch 16 hours ago||

How bad is it if someone infects my home router using such a thing? They can MITM non-encrypted requests, but there are not a lot of those, right?

What else can they do, assuming the computers behind the router are all patched up.

zrm 15 hours ago||

They can block traffic to update servers so the computers behind the router aren't all patched up, then exploit them. They also get access to all the IoT devices on the internal network. They can also use your router as a proxy so their scraping/attack traffic comes from your IP address instead of theirs.

It's definitely bad.

PhilipRoman 15 hours ago|||

If you blindly TOFU ssh sessions, those can be pwned easily in many common use cases. Legacy software configurations like NFS with IP authentication will be bypassed. Realistically the most likely scenario is using your home as a VPN, or a DDOS node.

raggi 13 hours ago||

yeah, and it's not like people recently launched a coffee shop that accepts payments over tofu ssh and a shell provider doing the same

Asmod4n 15 hours ago|||

they could try and exploit any device on your network, and since they see which servers you connect to and how often you communicate with one they can write phishing mails which are tailored just for you.

nhattruongadm 15 hours ago||

[flagged]

xydac 16 hours ago||

some of these would have made to embedded hardwares, making updates more challenging if say you were to flash an update.

rela-12w987 15 hours ago||

The AI bug report tsunami is not in all projects. As the top comment notes, MaraDNS didn't have any. I assume djbdns and tinydns didn't either, otherwise they'd shout it from the rooftops.

I never understood why some projects get extremely popular and others don't. I also suspect by now that the reports by tools that are "too dangerous to release" scan all projects but selectively only contact those with issues, so that they never have to admit that their tool didn't find anything.

philipwhiuk 14 hours ago|

> The AI bug report tsunami is not in all projects.

It's in popular projects.

3ASAF 13 hours ago||

No, postfix hasn't had a single valid bug found by AI. There are legions of other projects as well.

It is a distorted view, because projects become popular by allowing indiscriminate commits, bugs, maintainers.

If I'd start a new project I'd allow anyone in and blog about 100 exploits every year, because that is exactly what people want. I'm serious.

ck2 16 hours ago||

if machine-learning can find all these holes

why can't machine-learning write a product from scratch that is flawless?

yjftsjthsd-h 16 hours ago||

Who said it can't? https://news.ycombinator.com/item?id=47759709 appears to be a nearly flawless (per spec) zip implementation.

PunchyHamster 1 hour ago||

the AI found no bugs in AI code

sure buddy

tclancy 15 hours ago|||

Because the problem is asymmetric: the attacker only needs to find one hole at one time. The defender has to be flawless forever.

hnlmorg 15 hours ago|||

It’s easier to break something than it is to make something that cannot be broken.

perlgeek 15 hours ago|||

LLMs certainly make it more feasible to rewrite a product in a memory-safe language, eliminating a whole class of bugs.

Flawless software is hard for an LLM to write, because all the programs they have been trained on are flawed as well.

As a fun exercise, you could give a coding agent a hunk of non-trivial software (such as the Linux kernel, or postgresql, or whatever), and tell it over and over again: find a flaw in this, fix it. I'm pretty sure it won't ever tell you "now it's perfect" (and do this reproducibly).

chromacity 15 hours ago|||

If humans can find bugs, why can't humans write flawless code?

Whatever the answer to that conundrum might be, LLMs are trained on these patterns and replicate them pretty faithfully.

tetha 12 hours ago|||

How do you define flawless though?

The CVEs here have their fair share of silly C problems, but also more rigid input validation and handling. These more rigid validations exclude stuff which may even be valid by the spec, but entirely problematic in practice.

As examples, take a look how many valid XML documents are practically considered unsafe and not parsed, for example due to recursive entity expansion. This renders the parsers not flawless and in fact not in spec.

Or, my favorite bait - there should be a maximum length limit on passwords. Why would you ever need a kilobyte sized password?

jonhohle 15 hours ago|||

Have you ever met a security engineer? I’ve never met one who was also a good engineer (not saying they don’t exist, I just haven’t met one). Do they find vulnerabilities? Sure. Could they write the tools they use to find vulnerabilities, most probably not.

_flux 15 hours ago|||

Just because something is good at finding bugs, it may not find all the bugs. Finding a bug only tells you there was one bug you found, it doesn't tell if the rest is solid.

duped 15 hours ago||

You could argue the answer to this question depends on if you believe P=NP

tscburak 14 hours ago||

[flagged]

cedum 15 hours ago|

[dead]