Bug 488314 (CVE-2009-0758)

Summary: CVE-2009-0758 avahi: remote DoS via legacy unicast mDNS queries
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: lpoetter, mbacovsk
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0758
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-29 15:14:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 609318, 609319, 833873    
Bug Blocks:    
Attachments:
Description Flags
patch from the Debian BTS that proposes a fix for this issue none

Description Vincent Danen 2009-03-03 18:11:52 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0758 to
the following vulnerability:

Name: CVE-2009-0758
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0758
Assigned: 20090303
Reference: MLIST:[oss-security] 20090302 CVE id request: avahi
Reference: URL: http://www.openwall.com/lists/oss-security/2009/03/02/1
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517683

The originates_from_local_legacy_unicast_socket function in
avahi-core/server.c in avahi-daemon 0.6.23 does not account for the
network byte order of a port number when processing incoming multicast
packets, which allows remote attackers to cause a denial of service
(network bandwidth and CPU consumption) via a crafted legacy unicast
mDNS query packet that triggers a multicast packet storm.
Comment 2 Vincent Danen 2009-03-03 18:17:09 UTC 
Created attachment 333906 [details]
patch from the Debian BTS that proposes a fix for this issue
Comment 4 Lennart Poettering 2009-03-18 17:20:27 UTC 
This is really really low priority since the reflection feature is not enabled by default and has always been documented as being experimental and that it might crucify your network.

Not sure if this should really be considered a security issue at all. Of course, this should be fixed, but all this CVE bureaucracy is way over-the-top if you ask me. I'll apply a fix for this into the Avahi sources, but I am not really convinced that I should do a full new release just for this.
Comment 5 Lennart Poettering 2009-03-18 17:20:50 UTC 
fix this in the upstream Avahi sources, that is.
Comment 6 Vincent Danen 2009-03-18 17:33:33 UTC 
Where is it noted as being experimental?

Looking at the avahi-daemon.conf manpage, the only warning about enabling the reflector is to make sure that you don't have multiple reflectors, and only the reflect-ipv keyword is noted as being not recommended.

I see it's not default, which is fine, but I'd like to know where it is indicated that enabling it is not recommended or where it's noted as being experimental.

If you feel that real-world use of the reflector functionality would be more or less non-existent, then I'd agree with dropping the severity and either dropping or deferring this issue.
Comment 7 Lennart Poettering 2009-03-18 17:44:58 UTC 
Uh, indeed. I never actually mentioned that in the man pages. Sorry for the confusion. I guess I should fix that as well.

I am pretty sure though that I mentioned that a couple of times on the MLs and on IRC. 

Anyway, I'd still say that this is a rather exotic feature not worth all the hubbub. The man page even says is "it should work", so I guess you could read from that that I was not even sure it really was that reliable back when I wrote it.

Yes, this needs to be fixed, and yes I should have better documented that it is mostly an experimental feature.
Comment 8 Vincent Danen 2009-03-18 17:58:40 UTC 
Ok, thanks for that.  What we will do then is defer this and fix it in any future update we have for avahi for RHEL5.  When you fix this upstream (and roll a new version), updating Fedora to the new version may not be a bad idea, and getting it into rawhide would be great.
Comment 9 Tomas Hoger 2009-03-19 08:26:22 UTC 
(In reply to comment #5)
> fix this in the upstream Avahi sources, that is.  

Just for the future reference - have you used Debian patch in upstream sources?  The change is not yet visible at: http://avahi.org/browser/
Comment 10 Lennart Poettering 2009-03-19 11:08:38 UTC 
No, I haven't fixed this upstream yet. Sorry. But from a first glance the Debian fix looks about right.
Comment 11 Lennart Poettering 2009-03-31 23:46:38 UTC 
This is fixed upstream now:

http://git.0pointer.de/?p=avahi.git;a=commit;h=6fabf9d5189cf0efb86af1cd57e5399f8e31112a
Comment 12 Vincent Danen 2009-12-04 22:45:38 UTC 
This is corrected in upstream 0.6.25; Fedora 11 and 12 have this version and are fixed.
Comment 13 Tomas Hoger 2010-06-25 07:15:41 UTC 
Re-open, waiting to get included in some future RHEL5 avahi update (see comment
#8).
Comment 15 Lennart Poettering 2010-06-30 01:25:22 UTC 
commited and built for rhel 5.5.z and rhel 5.6 now.

nvr are as follows:

rhel5.5.z: avahi-0.6.16-9.el5.5

rhel5.6: avahi-0.6.16-9.el5
Comment 17 Tomas Hoger 2010-07-12 15:58:08 UTC 
(In reply to comment #4)
> This is really really low priority since the reflection feature is not enabled
> by default and has always been documented as being experimental and that it
> might crucify your network.

For future reference - relevant avahi-daemon.conf option to enable / disable reflector is enable-reflector.  Defaults to "no".
Comment 18 errata-xmlrpc 2010-07-13 17:49:53 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0528 https://rhn.redhat.com/errata/RHSA-2010-0528.html
Comment 19 Vincent Danen 2010-07-13 18:00:56 UTC 
Statement:

(none)