Overview
mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference.
Description
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-7987 Improper bounds checking in "GetValueForIPv4Addr()", "GetValueForMACAddr()", "rfc3110_import()", and "CopyNSEC3ResourceRecord()" functions may allow an attacker to read or write memory. |
Impact
A remote attacker may be able to execute arbitrary code or cause a denial of service on the system running mDNSResponder. |
Solution
Apply an update |
Vendor Information
Android Open Source Project Affected
Notified: November 03, 2015 Updated: January 27, 2016
Statement Date: January 27, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Android is affected by CVE-2015-7988; fix targeted for next major build of Android (Android N).
Apple Affected
Notified: October 16, 2015 Updated: October 23, 2015
Statement Date: October 16, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Arista Networks, Inc. Not Affected
Notified: January 22, 2016 Updated: February 15, 2016
Statement Date: February 12, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CoreOS Not Affected
Notified: January 22, 2016 Updated: January 25, 2016
Statement Date: January 23, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Debian GNU/Linux Not Affected
Notified: October 23, 2015 Updated: October 23, 2015
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fedora Project Not Affected
Notified: October 23, 2015 Updated: January 22, 2016
Statement Date: January 22, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Infoblox Not Affected
Notified: January 22, 2016 Updated: January 25, 2016
Statement Date: January 22, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Intel Corporation Not Affected
Notified: January 22, 2016 Updated: January 25, 2016
Statement Date: January 25, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Red Hat, Inc. Not Affected
Notified: October 23, 2015 Updated: January 22, 2016
Statement Date: January 22, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ACCESS Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arch Linux Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Aruba Networks Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Blue Coat Systems Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CentOS Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Check Point Software Technologies Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cisco Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EfficientIP SAS Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
FreeBSD Project Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Gentoo Linux Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hardened BSD Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett-Packard Company Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium - DHCP Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Lenovo Unknown
Notified: June 15, 2016 Updated: June 15, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Mandriva S. A. Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microsoft Corporation Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nominum Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenDNS Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Oracle Corporation Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PC-BSD Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Secure64 Software Corporation Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: March 25, 2016 Updated: March 25, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ubuntu Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: January 22, 2016 Updated: January 22, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
dnsmasq Unknown
Notified: March 22, 2016 Updated: March 21, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: October 23, 2015 Updated: October 23, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Temporal | 5.3 | E:POC/RL:OF/RC:C |
| Environmental | 4.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Apple for reporting this issue to us and working with us to coordinate the fix with vendors.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2015-7987, CVE-2015-7988 |
| Date Public: | 2016-06-20 |
| Date First Published: | 2016-06-20 |
| Date Last Updated: | 2016-06-20 23:38 UTC |
| Document Revision: | 83 |