Zyxel security advisory for dnsmasq vulnerabilities


Zyxel is aware of the recently disclosed vulnerabilities of dnsmasq, as identified in US-CERT vulnerability note VU#973527 with vulnerability IDs CVE-2017-14491 through CVE-2017-14496 and CVE-2017-13704, as listed in table 1.



What are the vulnerabilities?

Dnsmasq is a piece of open-source software widely used in Android, Linux and a variety of networking equipment operating systems. The vulnerabilities are present in dnsmasq version 2.77 and earlier; version 2.78 of dnsmasq has been released to address these vulnerabilities.


Table 1

CVE-2017-14491Heap-based Buffer OverflowDNS
CVE-2017-14492Heap-based Buffer OverflowDHCP
CVE-2017-14493Stack-based Buffer OverflowDHCP
CVE-2017-14494Information ExposureDHCP
CVE-2017-14495Uncontrolled Resource Consumption 
(resource exhaustion)
CVE-2017-14496Integer UnderflowDNS
CVE-2017-13704Integer UnderflowDNS


Please see: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html for more technical information.


How are Zyxel resolving the vulnerabilities?

At Zyxel we treat security as a top priority and we have conducted a thorough investigation and identified a list of vulnerable products within their warranty and support period, as shown in table 2 below. For products not listed, they are not affected because they do not make use of dnsmasq.

We are now deploying or backporting the latest version of dnsmasq (version 2.78) into the vulnerable products.

Please refer to table 2 for the detailed release schedule. Please contact your local Zyxel support team to get the patch firmware file.


Table 2

ProductSeries/ModelPatch firmware versionAvailability
DSL CPEAMG1302-T11CABCG12C0Feb 2018
VMG1312-B10AAAJZ14C0Jan 2018
VMG1312-B10DV5.13(AAXA.7)Dec 2017
VMG1312-B30AAATO9C0Jan 2018
VMG3312-T seriesABFX1C0Dec 2017
VMG3625-T seriesABIE1C0Oct 2017
VMG3925-B10BAAVF10C0Dec 2017
VMG3926-B10AAAVF10C0Dec 2017
VMG5313-B10BV5.13(AAYY.6)Dec 2017
VMG8823-B10BV5.13(ABEJ.2)Dec 2017
VMG8823-B30BV5.13(ABEJ.2)Dec 2017
VMG8823-B50BV5.13(ABEJ.2)Dec 2017
VMG8823-B60BV5.13(ABEJ.2)Dec 2017
AAKL20C0Jan 2018
VMG8924-B10DV5.13(ABGQ.1)Dec 2017
VMG8924-B30AAAPQ14C0Jan 2018
VMG8924-B30DV5.13(ABGP.1)Jan 2018
XMG3512-B seriesABDR1C0Mar 2018
DSL CPE (Gemini)Gateway 4006. 2017
Speedlink 5501/65014. 2017
Speedlink 55027. 2017
VMG53048.39.327-Oct 2017
VMG802910.39.320-Oct 2017
VMG85469.39.320-Oct 2017
Ethernet gatewayEMG2306V1.00(AAJM.5)C0Dec 2017
EMG2926V1.00(AAVK.6)C0Oct 2017
EMG3425V1.00(AAYJ.11)C0Dec 2017
GPON ONTPMG5317-T20AV521ABCI4C030-Nov 2017
PMG5317-T20BV540ABKI1C030-Nov 2017
Home routerNBG6515V1.00(AXS.5)C0Feb 2018
NBG6604V1.00(ABIR.2)C0Feb 2018
NBG6617V1.00(ABCT.6)C0Feb 2018
NBG6815V1.00(ABBP.7)C0Apr 2018
NBG6816V1.00(AAWB.10)C0Dec 2017
NBG6817V1.00(ABCS.8)C0Apr 2018
LTE CPELTE4506-M606V1.00(ABDO.3)C015-Dec 2017
LTE7410V2.60(ABAW.6)C0Feb 2018
LTE7460V1.00(ABFR.4)C020-Dec 2017
WAH7706V1.00(ABBC.8)C022-Dec 2017
Wi-Fi systemWSQ50V1.00(ABKJ.2)C010-Nov 2017
Wireless extenderWAP6806V1.00(ABAL.6)C018-Feb 2018


What should I do now to protect against the vulnerabilities?

The following short-term mitigations could be put in place to remove or reduce the threat:

  • For ISP customers, ISP’s DNS server filters all DNS responses to check for the malicious code
  • Zyxel CPE is reconfigured so that it does not act as the DNS server for LAN side DHCP clients by issuing the DNS servers as “obtained from ISP” or DNS static IPs. Note this mitigation is only applicable to VDSL and LTE models.

For more information and technical details regarding the vulnerabilities please see below references:


Please contact your local service representatives if you require further information or assistance. To report a vulnerability, please contact security@zyxel.com.tw