If you are a Linux user you might want to keep an extra eye on your systems and be ready to patch — as soon as patches do become available that is. Google researchers this week made public seven vulnerabilities they uncovered in the Linux DNS software package Dnsmasq.
Why did Google security researchers go public on vulnerabilities that have yet to have a patch available? “We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake,” the wrote in their blog.
What is Dnsmasq? Dnsmasq servers DNS, DHCP and other functions. It is deployed in a variety of form factors from desktop Linux to consumer routers and IoT. Dnsmasq is also used in firewalls, phones, tablets, and servers.
Hopefully patches will be swiftly developed. In the chart below you see each of the vulnerabilities uncover.
The three remote code execution vulnerabilities are of significant concern, which are CVE-2017-14491, CVE-2017-14492, CVE-2017-14493. Perhaps as CVE-2017-14491 is the most serious vulnerability.
For those running affected devices, look for updates that will provide the much-needed security patches.
Those running IoT devices may find, not only with this flaw but software flaws in general in IoT, that they are much more difficult to patch and keep up to date [what do we do about this]. What does someone who runs an IoT device with at-risk software do to secure their devices if a patch isn’t available? The short answer is not much beyond controlling who can access the device.
There’s no easy answer to securing IoT devices once they are deployed and a latent flaw has been uncovered. In January 2017, the U.S. Federal Trade Commission (FTC) announced a competition that called for the creation of technologies that enabled consumers to guard against security vulnerabilities in IoT software. “The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy- to-guess passwords. The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s),” the FTC wrote.
Over the summer the FTC announced a winner and an honorable mention in the contest. The winning idea, the IoT Watchdog, is an idea for a mobile app that helps consumers to manage their IoT devices. According to the FTC announcement of the winners, “it would allow users with limited technical expertise to scan their home Wi-Fi and Bluetooth networks to identify and inventory connected devices. It would flag devices with out-of-date software and other common vulnerabilities and provide instructions on how to update each device's software and fix other vulnerabilities.
The runner-up PINC (Persistent Internal Network Containment) aims to segment IoT networked devices from each other on a home network. “Unlike conventional home routers that protect the inside from the outside, PINC’s goal is to sandbox all devices inside the home network so that they are protected from each other,” PINC wrote.
These are interesting potential approaches to help secure IoT, but we should expect more of the makers of IoT devices and that the devices not only be shipped secure, but they have to be easy to maintain securely, which includes mechanisms to patch software IoT device makers design and open source software they use in their devices. If we don’t see a secure foundation such as this start to take hold, we will see a swamp of IoT devices that will not only be used to attack the owners of these devices, but everyone else connected to the Internet.