search menu icon-carat-right cmu-wordmark

CERT Coordination Center

mDNSResponder contains multiple memory-based vulnerabilities

Vulnerability Note VU#143335

Original Release Date: 2016-06-20 | Last Revised: 2016-06-20

Overview

mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference.

Description

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-7987

Improper bounds checking in "GetValueForIPv4Addr()", "GetValueForMACAddr()", "rfc3110_import()", and "CopyNSEC3ResourceRecord()" functions may allow an attacker to read or write memory.

CWE-476: NULL Pointer Dereference - CVE-2015-7988

Improper input validation in "handle_regservice_request()" may allow an attacker to execute arbitrary code or cause a denial of service.

Apple has also issued a security advisory for these issues.

mDNSResponder-379.27 and later before mDNSResponder-625.41.2 are vulnerable to both issues. The CVSS score below is based on CVE-2015-7987.

Impact

A remote attacker may be able to execute arbitrary code or cause a denial of service on the system running mDNSResponder.

Solution

Apply an update

mDNSResponder 625.41.2 has been released to address these issues. Affected users should update as soon as possible.

Vendor Information

143335
 
Affected   Unknown   Unaffected

Android Open Source Project

Notified:  November 03, 2015 Updated:  January 27, 2016

Statement Date:   January 27, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Android is affected by CVE-2015-7988; fix targeted for next major build of Android (Android N).

Apple

Notified:  October 16, 2015 Updated:  October 23, 2015

Statement Date:   October 16, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  January 22, 2016 Updated:  February 15, 2016

Statement Date:   February 12, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS

Notified:  January 22, 2016 Updated:  January 25, 2016

Statement Date:   January 23, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  October 23, 2015 Updated:  January 22, 2016

Statement Date:   January 22, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  January 22, 2016 Updated:  January 25, 2016

Statement Date:   January 22, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  January 22, 2016 Updated:  January 25, 2016

Statement Date:   January 25, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  October 23, 2015 Updated:  January 22, 2016

Statement Date:   January 22, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Aruba Networks

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Blue Coat Systems

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CentOS

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cisco

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EfficientIP SAS

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Enterasys Networks

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

FreeBSD Project

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hardened BSD

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett-Packard Company

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hitachi

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM eServer

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium - DHCP

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Lenovo

Notified:  June 15, 2016 Updated:  June 15, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Mandriva S. A.

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nokia

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nominum

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenBSD

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenDNS

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PC-BSD

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Q1 Labs

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Secure64 Software Corporation

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  March 25, 2016 Updated:  March 25, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ubuntu

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Wind River

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ZyXEL

Notified:  January 22, 2016 Updated:  January 22, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

dnsmasq

Notified:  March 22, 2016 Updated:  March 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

openSUSE project

Notified:  October 23, 2015 Updated:  October 23, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

View all 79 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.3 E:POC/RL:OF/RC:C
Environmental 4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Apple for reporting this issue to us and working with us to coordinate the fix with vendors.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-7987, CVE-2015-7988
Date Public: 2016-06-20
Date First Published: 2016-06-20
Date Last Updated: 2016-06-20 23:38 UTC
Document Revision: 82

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.