Vulnerability Note VU#550620
Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link
Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks.
Multicast DNS (mDNS) is a way for devices on a local link network to automatically discover other services and devices. In some implementations of mDNS, the mDNS server replies to unicast queries from outside the link local network (e.g., the WAN). This mDNS response may result in information disclosure of devices on the network. Furthermore, the information returned in the response is greater in size than the query and may be used for denial-of-service (DoS) amplification.
RFC 6762 Section 5.5 states the following:
An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks.
Block inbound and outbound mDNS on the WAN
Disable mDNS services
Vendor Information (Learn More)
Despite attempts to analyze scan results, it is not entirely clear exactly which software responds to mDNS queries. Vendors have been alerted, but currently only a small number of devices have been confirmed to respond to unicast queries from the WAN. In Linux, the Avahi software is also known to allow unicast queries.
|Vendor||Status||Date Notified||Date Updated|
|Avahi mDNS||Affected||-||31 Mar 2015|
|Canon||Affected||10 Feb 2015||08 Apr 2015|
|Hewlett-Packard Company||Affected||10 Feb 2015||20 Mar 2015|
|IBM Corporation||Affected||10 Feb 2015||31 Mar 2015|
|Synology||Affected||10 Feb 2015||31 Mar 2015|
|Cisco Systems, Inc.||Not Affected||10 Feb 2015||31 Mar 2015|
|Citrix||Not Affected||10 Feb 2015||25 Mar 2015|
|D-Link Systems, Inc.||Not Affected||10 Feb 2015||20 Mar 2015|
|F5 Networks, Inc.||Not Affected||10 Feb 2015||31 Mar 2015|
|Microsoft Corporation||Not Affected||10 Feb 2015||09 Mar 2015|
|Ricoh Company Ltd.||Not Affected||10 Feb 2015||15 May 2015|
|Apple||Unknown||10 Feb 2015||10 Feb 2015|
|CentOS||Unknown||10 Feb 2015||10 Feb 2015|
|Debian GNU/Linux||Unknown||10 Feb 2015||10 Feb 2015|
|Dell Computer Corporation, Inc.||Unknown||10 Feb 2015||10 Feb 2015|
CVSS Metrics (Learn More)
Thanks to Chad Seaman for reporting this vulnerability and assisting in coordination with vendors.
This document was written by Garret Wassermann.
- CVE IDs: Unknown
- Date Public: 31 Mar 2015
- Date First Published: 31 Mar 2015
- Date Last Updated: 15 May 2015
- Document Revision: 75
If you have feedback, comments, or additional information about this vulnerability, please send us email.