Symptom
The product Cisco Mobility Services Engine includes a version of Dnsmasq that is affected by vulnerabilities disclosed on October 2nd 2017 and identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 CVE-2017-13704
Cisco has reviewed and concluded that this product is affected by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2017-14491 - Dnsmasq DNS Reply Heap Buffer Overflow Vulnerability
This product is not affected by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2017-14492 - Dnsmasq IPv6 Router Advertisement Handling Code Heap Buffer Overflow Vulnerability
CVE-2017-14493 - Dnsmasq DHCPv6 Code Stack Buffer Overflow Vulnerability
CVE-2017-14494 - Dnsmasq DHCPv6 Relay Code Information Disclosure Vulnerability
CVE-2017-14495 - Dnsmasq EDNS0 Code Memory Exhaustion Vulnerability
CVE-2017-14496 - Dnsmasq EDNS0 Code Buffer Over-Read Vulnerability
CVE-2017-13704 - Dnsmasq Size parameter overflow via large DNS query
Conditions
Exposure is not configuration dependent.
Further Problem Description
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 9.8:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
