Security Advisory: DNSMasq Vulnerability


Security Advisory: DNSMasq Vulnerability

In October 2017, researchers studying the DNSMasq code/protocol discovered various vulnerabilities. DNSMasq is widely used in networking products, Linux distributions, embedded products and mobile phones and IoT devices.

The vulnerabilities are logged under the following references : CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496 and CVE-2017-13704.

DrayTek Products

No DrayTek products operating DrayOS are affected by this issue and they do not use DNSMasq. DrayOS is our own proprietary O/S which does not have 3rd party library dependencies. DrayOS is used on the majority of our products, including Vigor 2860, 2830, 2862, 2832, 2925, 2760 series.

Our Linux-based products (Vigor 2960 & Vigor 3900) will have updated firmware released ASAP as firmware version 1.3.2. Please download and install that as soon as it is released.

Even if your product is not affected by this issue, you should still always keep your products up to date with the latest firmware which may provide other enhancements or security improvements.

Keep up to Date via our Mailing List

It is always recommended that you keep your router and other hardware up to date with the latest firmware and read vendor mailing lists. We will advise users of any critical or important issues. UK/Irish users can join the UK mailing list - join here.

Advice Regarding other Services / Products (non-DrayTek)

You should check equivalent statements/advisories from the providers of all of your other networking hardware vendors and then follow the advice of each of them regarding any necessary precautions or updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.