Red Hat Bugzilla – Bug 488314
CVE-2009-0758 avahi: remote DoS via legacy unicast mDNS queries
Last modified: 2012-11-29 10:14:23 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0758 to
the following vulnerability:
Reference: MLIST:[oss-security] 20090302 CVE id request: avahi
Reference: URL: http://www.openwall.com/lists/oss-security/2009/03/02/1
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517683
The originates_from_local_legacy_unicast_socket function in
avahi-core/server.c in avahi-daemon 0.6.23 does not account for the
network byte order of a port number when processing incoming multicast
packets, which allows remote attackers to cause a denial of service
(network bandwidth and CPU consumption) via a crafted legacy unicast
mDNS query packet that triggers a multicast packet storm.
Created attachment 333906 [details]
patch from the Debian BTS that proposes a fix for this issue
This is really really low priority since the reflection feature is not enabled by default and has always been documented as being experimental and that it might crucify your network.
Not sure if this should really be considered a security issue at all. Of course, this should be fixed, but all this CVE bureaucracy is way over-the-top if you ask me. I'll apply a fix for this into the Avahi sources, but I am not really convinced that I should do a full new release just for this.
fix this in the upstream Avahi sources, that is.
Where is it noted as being experimental?
Looking at the avahi-daemon.conf manpage, the only warning about enabling the reflector is to make sure that you don't have multiple reflectors, and only the reflect-ipv keyword is noted as being not recommended.
I see it's not default, which is fine, but I'd like to know where it is indicated that enabling it is not recommended or where it's noted as being experimental.
If you feel that real-world use of the reflector functionality would be more or less non-existent, then I'd agree with dropping the severity and either dropping or deferring this issue.
Uh, indeed. I never actually mentioned that in the man pages. Sorry for the confusion. I guess I should fix that as well.
I am pretty sure though that I mentioned that a couple of times on the MLs and on IRC.
Anyway, I'd still say that this is a rather exotic feature not worth all the hubbub. The man page even says is "it should work", so I guess you could read from that that I was not even sure it really was that reliable back when I wrote it.
Yes, this needs to be fixed, and yes I should have better documented that it is mostly an experimental feature.
Ok, thanks for that. What we will do then is defer this and fix it in any future update we have for avahi for RHEL5. When you fix this upstream (and roll a new version), updating Fedora to the new version may not be a bad idea, and getting it into rawhide would be great.
(In reply to comment #5)
> fix this in the upstream Avahi sources, that is.
Just for the future reference - have you used Debian patch in upstream sources? The change is not yet visible at: http://avahi.org/browser/
No, I haven't fixed this upstream yet. Sorry. But from a first glance the Debian fix looks about right.
This is fixed upstream now:
This is corrected in upstream 0.6.25; Fedora 11 and 12 have this version and are fixed.
Re-open, waiting to get included in some future RHEL5 avahi update (see comment
commited and built for rhel 5.5.z and rhel 5.6 now.
nvr are as follows:
(In reply to comment #4)
> This is really really low priority since the reflection feature is not enabled
> by default and has always been documented as being experimental and that it
> might crucify your network.
For future reference - relevant avahi-daemon.conf option to enable / disable reflector is enable-reflector. Defaults to "no".
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0528 https://rhn.redhat.com/errata/RHSA-2010-0528.html