Think you have a false positive on this rule?

Sid 1-47881

Message

PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt

Summary

This event is generated when a dnsmasq add_pseudoheader memory leak attempt is detected.

Impact

Attempted Denial of Service

CVE-2017-14495:

CVSS base score 7.5

CVSS impact score 3.6

CVSS exploitability score 3.9

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Detailed information

CVE-2017-14495: Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.

Affected systems

  • thekelleys dnsmasq 2.77
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 17.04
  • debian debian_linux 7.0
  • debian debian_linux 7.1
  • debian debian_linux 9.0
  • redhat enterpriselinuxdesktop 7.0
  • redhat enterpriselinuxserver 7.0
  • redhat enterpriselinuxworkstation 7.0

Ease of attack

CVE-2017-14495:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html