Advisory Number: 201701
Assigned CVE: CVE-2017-6519
Affected software / systems: Avahi daemon. Avahi daemon used in various popular Linux OS (and other open source Operating Systems). Vulnerability has been confirmed in latest (as of Feb 22, 2017) Centos 6, Centos 7, Fedora 25, Ubuntu 15.04.
Attack type: Remote
Impact:
- DDoS amplification attacks and other remote DoS attacks.
- Information disclosure
Description: Avahi through 0.6.32 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service
(traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets.
According to IETF RFC 6762 section 5.5, "Since it is possible for a unicast query to be received from a machine outside the local link, responders SHOULD check that the source address in the
query packet matches the local subnet for that link (or, in the case of IPv6, the source address has an on-link prefix) and silently ignore the packet if not."
Similar Vulnerabilities:
- CERT-VN:VU#550620
- CVE-2015-2809
- CVE-2017-6520
Mitigation: Block at the perimeter UDP port 5353 both for incoming and outgoing connections.
Note: RedHat developers do not consider it a bug (see https://bugzilla.redhat.com/show_bug.cgi?id=1426712).
Advisory Number: 201702
Assigned CVE: CVE-2017-6520
Affected Systems: Bose SoundTouch 30 Series III Music System (other systems of the same vendor may also be vulnerable).
Attack type: Remote
Impact:
- DDoS amplification attacks and other remote DoS attacks.
- Information disclosure
Description: The aforementioned systems inadvertently respond to IPv4 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service
(traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets.
According to IETF RFC 6762 section 5.5, "Since it is possible for a unicast query to be received from a machine outside the local link, responders SHOULD check that the source address in the
query packet matches the local subnet for that link (or, in the case of IPv6, the source address has an on-link prefix) and silently ignore the packet if not."
Similar Vulnerabilities:
- CERT-VN:VU#550620
- CVE-2015-2809
- CVE-2017-6519
Mitigation: Block at the perimeter UDP port 5353 both for incoming and outgoing connections.