search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link

Vulnerability Note VU#550620

Original Release Date: 2015-03-31 | Last Revised: 2015-05-15

Overview

Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks.

Description

Multicast DNS (mDNS) is a way for devices on a local link network to automatically discover other services and devices. In some implementations of mDNS, the mDNS server replies to unicast queries from outside the link local network (e.g., the WAN). This mDNS response may result in information disclosure of devices on the network. Furthermore, the information returned in the response is greater in size than the query and may be used for denial-of-service (DoS) amplification.

RFC 6762 Section 5.5 states the following:

"In specialized applications there may be rare situations where it
  makes sense for a Multicast DNS querier to send its query via unicast
  to a specific machine.  When a Multicast DNS responder receives a
  query via direct unicast, it SHOULD respond as it would for "QU"
  questions, as described above in Section 5.4.  
Since it is possible
  for a unicast query to be received from a machine outside the local
  link, responders SHOULD check that the source address in the query
  packet matches the local subnet for that link (or, in the case of
  IPv6, the source address has an on-link prefix) and silently ignore
  the packet if not.


   There may be specialized situations, outside the scope of this
  document, where it is intended and desirable to create a responder
  that does answer queries originating outside the local link.
"

While unicast queries originating from outside the local link are not specifically disallowed, RFC 6762 recommends to ignore any such packets. Some implementations of mDNS do however respond to unicast queries originating outside the local link, possibly for specialized use cases beyond the scope of RFC 6762.

In these circumstances, the mDNS response to a query from outside the local link allows for information disclosure about devices on the network, such as model number and operating system.

Additionally, the mDNS response to a query from outside the local link may be used for denial of service amplification attacks, due to the larger response size compared to the query size.

More information can be found in security researcher's blog.

Impact

An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks.

Solution

Block inbound and outbound mDNS on the WAN

If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network.

Disable mDNS services

Some software and devices may allow disabling of the mDNS services. Please consult with the vendor of your product.

Vendor Information

Despite attempts to analyze scan results, it is not entirely clear exactly which software responds to mDNS queries. Vendors have been alerted, but currently only a small number of devices have been confirmed to respond to unicast queries from the WAN. In Linux, the Avahi software is also known to allow unicast queries.

Listed below are vendors that are affected, in the sense that their software or devices by default can respond to unicast queries from outside the link local network. While this technically follows established RFCs and is not a vulnerability in the normal sense, for reasons outlined above this may be unwanted behavior. If you are aware of a software or device that responds to mDNS unicast queries from outside the local link, please contact us.

550620
 
Affected   Unknown   Unaffected

Avahi mDNS

Updated:  March 31, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

According to the researcher, avahi 0.6.31 may not be affected. Previous versions are known to be affected; see avahi mailing list post above.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Canon

Notified:  February 10, 2015 Updated:  April 08, 2015

Statement Date:   March 20, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The Canon MG6200 series will respond to WAN unicast queries. Canon has provided more information for securing its printers to its customers at the URL below:

Vendor References

Hewlett-Packard Company

Notified:  February 10, 2015 Updated:  March 20, 2015

Statement Date:   March 20, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Previous generations of HP printing products may use an implementation of mDNS for device discovery on the network which allows detection outside the local network segment. While this implementation is not recommended by RFC 6762 Section 5.5, it is allowed within the specification. HP’s networking infrastructure for its current device fleet uses an Apple Bonjour implementation with Bonjour.

For customers concerned with mDNS use on their network, HP recommends filtering mDNS on UDP Port 5353 at the network perimeter.  If desired the customer can manually disable mDNS on supported products using the embedded web server (EWS) configuration functionality (such as the Color LaserJet 4700, Figure A), however this may impact device discovery features including AirPrint, Mopria, and Google Cloud Print 2.0.

IBM Corporation

Notified:  February 10, 2015 Updated:  March 31, 2015

Statement Date:   February 17, 2015

Status

  Affected

Vendor Statement

"IBM i is not impacted as we do not support mDNS."

Vendor Information

IBM i does not support mDNS according to the vendor, however IBM has released an advisory for their Security Access Manager product (CVE-2015-1892 ; see URL below).

Vendor References

Synology

Notified:  February 10, 2015 Updated:  March 31, 2015

Statement Date:   February 16, 2015

Status

  Affected

Vendor Statement

This vulnerability "has been patched already since 2011 (DSM 3.1 & later versions). ... Despite of that, we will still upgrade avahi to 0.6.31 on the latest DSM 5.2 beta release and further versions."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

While recent versions do not appear vulnerable, if you are running old software, please update to the latest version.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  February 10, 2015 Updated:  March 31, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Citrix

Notified:  February 10, 2015 Updated:  March 25, 2015

Statement Date:   March 25, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  February 10, 2015 Updated:  March 20, 2015

Statement Date:   March 20, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  February 10, 2015 Updated:  March 31, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  February 10, 2015 Updated:  March 09, 2015

Statement Date:   March 05, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ricoh Company Ltd.

Notified:  February 10, 2015 Updated:  May 15, 2015

Statement Date:   May 15, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Ricoh Company Ltd. has investigated all of its products, and there are no Ricoh products affected by this vulnerability. Also, none of its products uses Avahi.

Apple

Notified:  February 10, 2015 Updated:  February 10, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    CentOS

    Notified:  February 10, 2015 Updated:  February 10, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Debian GNU/Linux

      Notified:  February 10, 2015 Updated:  February 10, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Dell Computer Corporation, Inc.

        Notified:  February 10, 2015 Updated:  February 10, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Fedora Project

          Notified:  February 10, 2015 Updated:  February 10, 2015

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Huawei Technologies

            Notified:  February 10, 2015 Updated:  February 10, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Netgear, Inc.

              Notified:  February 10, 2015 Updated:  February 10, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Red Hat, Inc.

                Notified:  February 27, 2015 Updated:  February 27, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Ubuntu

                  Notified:  February 10, 2015 Updated:  February 10, 2015

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Xerox

                    Notified:  February 10, 2015 Updated:  February 10, 2015

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      ZyXEL

                      Notified:  February 10, 2015 Updated:  February 10, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        View all 22 vendors View less vendors


                        CVSS Metrics

                        Group Score Vector
                        Base 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P
                        Temporal 5.2 E:POC/RL:W/RC:UR
                        Environmental 3.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                        References

                        Acknowledgements

                        Thanks to Chad Seaman for reporting this vulnerability and assisting in coordination with vendors.

                        This document was written by Garret Wassermann.

                        Other Information

                        CVE IDs: None
                        Date Public: 2015-03-31
                        Date First Published: 2015-03-31
                        Date Last Updated: 2015-05-15 19:59 UTC
                        Document Revision: 75

                        Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.