Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link
Vulnerability Note VU#550620
Original Release Date: 2015-03-31 | Last Revised: 2015-05-15
Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks.
Multicast DNS (mDNS) is a way for devices on a local link network to automatically discover other services and devices. In some implementations of mDNS, the mDNS server replies to unicast queries from outside the link local network (e.g., the WAN). This mDNS response may result in information disclosure of devices on the network. Furthermore, the information returned in the response is greater in size than the query and may be used for denial-of-service (DoS) amplification.
"In specialized applications there may be rare situations where it makes sense for a Multicast DNS querier to send its query via unicast to a specific machine. When a Multicast DNS responder receives a query via direct unicast, it SHOULD respond as it would for "QU" questions, as described above in Section 5.4. Since it is possible for a unicast query to be received from a machine outside the local link, responders SHOULD check that the source address in the query packet matches the local subnet for that link (or, in the case of IPv6, the source address has an on-link prefix) and silently ignore the packet if not.
There may be specialized situations, outside the scope of this document, where it is intended and desirable to create a responder that does answer queries originating outside the local link."
While unicast queries originating from outside the local link are not specifically disallowed, RFC 6762 recommends to ignore any such packets. Some implementations of mDNS do however respond to unicast queries originating outside the local link, possibly for specialized use cases beyond the scope of RFC 6762.
In these circumstances, the mDNS response to a query from outside the local link allows for information disclosure about devices on the network, such as model number and operating system.
Additionally, the mDNS response to a query from outside the local link may be used for denial of service amplification attacks, due to the larger response size compared to the query size.
More information can be found in security researcher's blog.
An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks.
Block inbound and outbound mDNS on the WAN
If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network.
Disable mDNS services
Some software and devices may allow disabling of the mDNS services. Please consult with the vendor of your product.
Despite attempts to analyze scan results, it is not entirely clear exactly which software responds to mDNS queries. Vendors have been alerted, but currently only a small number of devices have been confirmed to respond to unicast queries from the WAN. In Linux, the Avahi software is also known to allow unicast queries.
Listed below are vendors that are affected, in the sense that their software or devices by default can respond to unicast queries from outside the link local network. While this technically follows established RFCs and is not a vulnerability in the normal sense, for reasons outlined above this may be unwanted behavior. If you are aware of a software or device that responds to mDNS unicast queries from outside the local link, please contact us.
Notified: February 10, 2015 Updated: March 20, 2015
Statement Date: March 20, 2015
No statement is currently available from the vendor regarding this vulnerability.
Previous generations of HP printing products may use an implementation of mDNS for device discovery on the network which allows detection outside the local network segment. While this implementation is not recommended by RFC 6762 Section 5.5, it is allowed within the specification. HP’s networking infrastructure for its current device fleet uses an Apple Bonjour implementation with Bonjour.
For customers concerned with mDNS use on their network, HP recommends filtering mDNS on UDP Port 5353 at the network perimeter. If desired the customer can manually disable mDNS on supported products using the embedded web server (EWS) configuration functionality (such as the Color LaserJet 4700, Figure A), however this may impact device discovery features including AirPrint, Mopria, and Google Cloud Print 2.0.