Dnsmasq Security Update

Beverly McRae

Products Affected: AER31x0, AER2100, AER16x0, IBR11x0, IBR9x0, IBR6x0, IBR6x0B, IBR6x0C, IBR350, CBA850, and MBR1200B. Click here to identify your router.


Cradlepoint was notified of critical security vulnerabilities discovered in the dnsmasq network service (CVE-2017-14491 and others); in response Cradlepoint has taken steps to incorporate the dnsmasq version 2.78 into its latest NetCloud OS.

If exploited, this vulnerability could allow attackers to remotely execute code, forward the contents of process memory, or disrupt service on an affected router. As described in various sources, this flaw is difficult to trigger, requiring an attacker who controls a specific domain to send DNS requests to dnsmasq requiring it to cache replies from that domain. Through carefully constructing DNS requests and responses, dnsmasq could cause an internal buffer overflow using content influenced by the attacker.

More details can be found here: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html.

Affected Products

Cradlepoint recommends customers immediately upgrade products to the upcoming NetCloud OS versions (available 10/30/17) to mitigate this vulnerability. All router products are affected, including:

• AER3100 / AER3150
• AER2100
• AER1600 / AER1650
• IBR1100 / IBR1150
• IBR900 / IBR950
• IBR600 / IBR650
• IBR600B / IBR650B
• IBR600C / IBR650C
• IBR350
• MBR1200B
• CBA850

NOTE: Routers used in default configuration were not exposed on their WAN interfaces. Routers were exposed to their Local Network, including the Guest LAN (if enabled).

NetCloud Manager has been patched for all its own affected services. Usernames and passwords are not at risk.

NetCloud OS Patch

6.4.2 (Available 10/30/17) – All products listed above

6.4.3 (Available 12/11/17) – IBR900/IBR950 – FIPS

Remote NetCloud OS Upgrades

For remote devices, Cradlepoint recommends using NetCloud Manager to upgrade NetCloud OS, manage networks intelligently, and avoid costly truck rolls. If you haven’t deployed NetCloud Manager, you can start a free 30-day trial of NetCloud Manager today.
Local NetCloud OS Upgrades

For information on updating NCOS locally on the Cradlepoint please consult the below articles.

NCOS: Automatic NetCloud OS Update

NCOS: How to update the NCOS of a Cradlepoint router.

Interim Mitigation Until NetCloud OS Release

Because malicious tools could be used to obtain passwords during this period, Cradlepoint recommends the following steps to protect your network during the interim:

  1. Disable Guest Access via the NETWORKING > Local Networks > Local IP Networks tab.

Once NetCloud OS 6.4.2 or 6.4.3 is Available
1. Upgrade to the latest NetCloud OS version
2. Re-enable Guest Access if it was disabled

Share Article: