search menu icon-carat-right cmu-wordmark

CERT Coordination Center

mDNSResponder contains multiple memory-based vulnerabilities

Vulnerability Note VU#143335

Original Release Date: 2016-06-20 | Last Revised: 2016-06-20

Overview

mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference.

Description

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-7987

Improper bounds checking in "GetValueForIPv4Addr()", "GetValueForMACAddr()", "rfc3110_import()", and "CopyNSEC3ResourceRecord()" functions may allow an attacker to read or write memory.

CWE-476: NULL Pointer Dereference - CVE-2015-7988

Improper input validation in "handle_regservice_request()" may allow an attacker to execute arbitrary code or cause a denial of service.

Apple has also issued a security advisory for these issues.

mDNSResponder-379.27 and later before mDNSResponder-625.41.2 are vulnerable to both issues. The CVSS score below is based on CVE-2015-7987.

Impact

A remote attacker may be able to execute arbitrary code or cause a denial of service on the system running mDNSResponder.

Solution

Apply an update

mDNSResponder 625.41.2 has been released to address these issues. Affected users should update as soon as possible.

Vendor Information

143335
 
Affected   Unknown   Unaffected

Android Open Source Project

Notified:  November 03, 2015 Updated:  January 27, 2016

Statement Date:   January 27, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Android is affected by CVE-2015-7988; fix targeted for next major build of Android (Android N).

Apple

Notified:  October 16, 2015 Updated:  October 23, 2015

Statement Date:   October 16, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  January 22, 2016 Updated:  February 15, 2016

Statement Date:   February 12, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS

Notified:  January 22, 2016 Updated:  January 25, 2016

Statement Date:   January 23, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  October 23, 2015 Updated:  January 22, 2016

Statement Date:   January 22, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  January 22, 2016 Updated:  January 25, 2016

Statement Date:   January 22, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  January 22, 2016 Updated:  January 25, 2016

Statement Date:   January 25, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  October 23, 2015 Updated:  January 22, 2016

Statement Date:   January 22, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  March 22, 2016 Updated:  March 21, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  March 22, 2016 Updated:  March 21, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Arch Linux

        Notified:  October 23, 2015 Updated:  October 23, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Aruba Networks

          Notified:  March 22, 2016 Updated:  March 21, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Avaya, Inc.

            Notified:  January 22, 2016 Updated:  January 22, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Belkin, Inc.

              Notified:  January 22, 2016 Updated:  January 22, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Blue Coat Systems

                Notified:  March 22, 2016 Updated:  March 21, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  CA Technologies

                  Notified:  March 22, 2016 Updated:  March 21, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    CentOS

                    Notified:  October 23, 2015 Updated:  October 23, 2015

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Check Point Software Technologies

                      Notified:  January 22, 2016 Updated:  January 22, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Cisco

                        Notified:  January 22, 2016 Updated:  January 22, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          D-Link Systems, Inc.

                          Notified:  January 22, 2016 Updated:  January 22, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            DesktopBSD

                            Notified:  October 23, 2015 Updated:  October 23, 2015

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              DragonFly BSD Project

                              Notified:  October 23, 2015 Updated:  October 23, 2015

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                EMC Corporation

                                Notified:  October 23, 2015 Updated:  October 23, 2015

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  EfficientIP SAS

                                  Notified:  March 22, 2016 Updated:  March 21, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Enterasys Networks

                                    Notified:  March 22, 2016 Updated:  March 21, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Ericsson

                                      Notified:  January 22, 2016 Updated:  January 22, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Extreme Networks

                                        Notified:  January 22, 2016 Updated:  January 22, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          F5 Networks, Inc.

                                          Notified:  October 23, 2015 Updated:  October 23, 2015

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Force10 Networks

                                            Notified:  March 22, 2016 Updated:  March 21, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              FreeBSD Project

                                              Notified:  October 23, 2015 Updated:  October 23, 2015

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Gentoo Linux

                                                Notified:  October 23, 2015 Updated:  October 23, 2015

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Google

                                                  Notified:  March 22, 2016 Updated:  March 21, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Hardened BSD

                                                    Notified:  October 23, 2015 Updated:  October 23, 2015

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Hewlett-Packard Company

                                                      Notified:  October 23, 2015 Updated:  October 23, 2015

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Hitachi

                                                        Notified:  October 23, 2015 Updated:  October 23, 2015

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Huawei Technologies

                                                          Notified:  March 22, 2016 Updated:  March 21, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            IBM Corporation

                                                            Notified:  October 23, 2015 Updated:  October 23, 2015

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              IBM eServer

                                                              Notified:  October 23, 2015 Updated:  October 23, 2015

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Internet Systems Consortium

                                                                Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Internet Systems Consortium - DHCP

                                                                  Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Juniper Networks

                                                                    Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Lenovo

                                                                      Notified:  June 15, 2016 Updated:  June 15, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Mandriva S. A.

                                                                        Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          McAfee

                                                                          Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Microsoft Corporation

                                                                            Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              NEC Corporation

                                                                              Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                NetBSD

                                                                                Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Nokia

                                                                                  Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Nominum

                                                                                    Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      OmniTI

                                                                                      Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        OpenBSD

                                                                                        Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          OpenDNS

                                                                                          Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Openwall GNU/*/Linux

                                                                                            Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Oracle Corporation

                                                                                              Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                PC-BSD

                                                                                                Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Peplink

                                                                                                  Notified:  January 22, 2016 Updated:  January 22, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Q1 Labs

                                                                                                    Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      QNX Software Systems Inc.

                                                                                                      Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        SUSE Linux

                                                                                                        Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          SafeNet

                                                                                                          Notified:  January 22, 2016 Updated:  January 22, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Secure64 Software Corporation

                                                                                                            Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Slackware Linux Inc.

                                                                                                              Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                SmoothWall

                                                                                                                Notified:  January 22, 2016 Updated:  January 22, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Snort

                                                                                                                  Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Sony Corporation

                                                                                                                    Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Sourcefire

                                                                                                                      Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        Symantec

                                                                                                                        Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          TippingPoint Technologies Inc.

                                                                                                                          Notified:  March 25, 2016 Updated:  March 25, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Turbolinux

                                                                                                                            Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Ubuntu

                                                                                                                              Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Unisys

                                                                                                                                Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  VMware

                                                                                                                                  Notified:  January 22, 2016 Updated:  January 22, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Wind River

                                                                                                                                    Notified:  January 22, 2016 Updated:  January 22, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      ZyXEL

                                                                                                                                      Notified:  January 22, 2016 Updated:  January 22, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        dnsmasq

                                                                                                                                        Notified:  March 22, 2016 Updated:  March 21, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          m0n0wall

                                                                                                                                          Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            openSUSE project

                                                                                                                                            Notified:  October 23, 2015 Updated:  October 23, 2015

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              View all 79 vendors View less vendors


                                                                                                                                              CVSS Metrics

                                                                                                                                              Group Score Vector
                                                                                                                                              Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
                                                                                                                                              Temporal 5.3 E:POC/RL:OF/RC:C
                                                                                                                                              Environmental 4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                                                                                                              References

                                                                                                                                              Acknowledgements

                                                                                                                                              Thanks to Apple for reporting this issue to us and working with us to coordinate the fix with vendors.

                                                                                                                                              This document was written by Garret Wassermann.

                                                                                                                                              Other Information

                                                                                                                                              CVE IDs: CVE-2015-7987, CVE-2015-7988
                                                                                                                                              Date Public: 2016-06-20
                                                                                                                                              Date First Published: 2016-06-20
                                                                                                                                              Date Last Updated: 2016-06-20 23:38 UTC
                                                                                                                                              Document Revision: 82

                                                                                                                                              Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.